Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 12, 2021, 6:08 p.m.	March 12, 2021, 6:10 p.m.

Size	256.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8ca675896f6c9ad9fe8deb1cc63bf8f5`
SHA256	`abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74`
CRC32	`283922A1`
ssdeep	`3072:qDKW1LgppLRHMY0TBfJvjcTp5X8XwYIaZW:qDKW1Lgbdl0TBBvjc/JaZ`
PDB Path
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero UltraVNC_Zero - UltraVNC win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

1370132254.exe "C:\Users\test22\AppData\Local\Temp\1370132254.exe"
1468
- 2041131341.exe "C:\Users\test22\AppData\Local\Temp\2041131341.exe"
  1536
- 1090905469.exe "C:\Users\test22\AppData\Local\Temp\1090905469.exe"
  2696
  - RegAsm.exe "C:\Users\test22\AppData\Local\Temp\RegAsm.exe"
    1204

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172
0cl.sldov.ru	A 81.177.139.41	81.177.139.41
sldov.ru	A 81.177.139.41	81.177.139.41
www.google.com	A 172.217.174.196	172.217.31.164
5uxm.itdenther.ru	A 81.177.139.41	81.177.139.41
g.itdenther.ru	A 81.177.139.41	81.177.139.41

IP Address	Status	Action
104.26.12.31	Active	Moloch
13.107.21.200	Active	Moloch
164.124.101.2	Active	Moloch
172.217.174.196	Active	Moloch
62.109.7.229	Active	Moloch
81.177.139.41	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 81.177.139.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 81.177.139.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 81.177.139.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 172.217.174.196:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 13.107.21.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49238 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49243 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49248 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49236 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49247 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49249 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49239 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49250 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49240 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49254 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49251 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49256 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49266 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49263 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49230 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49261 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49271 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49267 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49262 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49274 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49227 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49288 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49275 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49242 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49289 -> 104.26.12.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49277 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49235 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49245 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49284 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49291 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49241 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49252 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49255 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49244 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49264 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49253 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49265 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49259 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49283 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49272 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49292 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49278 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49297 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49279 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49300 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49285 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49287 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49301 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49305 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49293 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49307 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49314 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49273 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49298 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49309 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49312 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49281 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49303 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49318 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49282 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49308 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49315 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49313 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49290 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49319 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49299 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49325 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49326 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49328 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49331 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49332 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49336 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49335 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49337 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49340 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49338 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49341 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49348 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49349 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49351 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49342 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49346 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49347 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49350 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49353 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49355 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49356 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49363 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49357 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49365 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49358 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49381 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49362 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49366 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49369 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49367 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49380 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49368 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49382 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49383 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49370 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49371 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49237 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49376 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49268 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49269 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49276 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49286 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49316 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49317 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49320 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49323 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49324 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49327 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49329 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49333 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49344 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49345 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49352 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49364 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49373 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49374 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49377 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49359 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49372 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49375 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49378 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49385 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49386 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49302 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49304 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49306 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49310 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49311 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49321 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49322 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49330 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49334 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49339 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49343 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49354 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49360 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49379 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49384 -> 81.177.139.41:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 62.109.7.229:80 -> 192.168.56.101:49270	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 81.177.139.41:443	C=US, O=Let's Encrypt, CN=R3	CN=*.0cl.sldov.ru	a4:45:55:6f:42:8d:22:1c:95:2c:0f:19:36:28:7b:b3:fb:07:ba:d4
TLS 1.2 192.168.56.101:49205 81.177.139.41:443	C=US, O=Let's Encrypt, CN=R3	CN=*.5uxm.itdenther.ru	0a:71:4c:d5:3a:6b:f3:90:84:48:b0:a4:09:7a:eb:7a:49:17:7b:38
TLS 1.2 192.168.56.101:49206 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49207 81.177.139.41:443	None	None	None
TLSv1 192.168.56.101:49198 81.177.139.41:443	C=US, O=Let's Encrypt, CN=R3	CN=*.g.itdenther.ru	e0:03:f4:5f:62:5a:b4:27:17:a1:54:19:2a:ce:11:3d:ec:9f:ab:e4
TLS 1.2 192.168.56.101:49208 81.177.139.41:443	None	None	None
TLSv1 192.168.56.101:49204 81.177.139.41:443	C=US, O=Let's Encrypt, CN=R3	CN=*.sldov.ru	29:68:75:c1:12:97:b2:27:ca:27:78:e9:ee:c1:dc:02:8e:ad:e8:88
TLS 1.2 192.168.56.101:49209 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49210 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49211 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49212 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49213 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49214 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49216 81.177.139.41:443	None	None	None
TLSv1 192.168.56.101:49217 172.217.174.196:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com	56:01:51:6c:14:6e:78:0a:50:0d:ac:79:e4:b0:98:b2:b9:97:6c:58
TLS 1.2 192.168.56.101:49219 81.177.139.41:443	None	None	None
TLSv1 192.168.56.101:49218 13.107.21.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	dc:c1:ac:40:22:1b:57:e3:9b:c9:2e:d2:eb:9b:a4:53:07:7f:62:f4
TLS 1.2 192.168.56.101:49223 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49222 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49225 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49231 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49238 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49243 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49248 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49236 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49247 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49249 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49239 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49250 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49240 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49254 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49224 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49251 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49256 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49229 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49266 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49263 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49230 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49261 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49271 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49267 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49232 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49262 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49274 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49221 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49233 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49227 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49275 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49242 81.177.139.41:443	None	None	None
TLSv1 192.168.56.101:49289 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLS 1.2 192.168.56.101:49288 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49277 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49235 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49245 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49284 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49291 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49241 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49252 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49255 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49244 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49264 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49253 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49265 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49259 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49283 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49272 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49292 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49278 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49297 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49279 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49280 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49300 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49285 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49287 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49301 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49305 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49293 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49307 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49314 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49273 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49298 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49312 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49281 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49303 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49318 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49309 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49282 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49308 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49315 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49313 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49290 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49319 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49325 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49326 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49328 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49331 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49332 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49336 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49335 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49337 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49340 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49338 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49341 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49349 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49351 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49342 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49346 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49347 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49299 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49350 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49353 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49355 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49356 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49363 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49357 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49348 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49365 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49358 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49381 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49362 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49366 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49369 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49367 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49380 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49368 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49382 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49226 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49383 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49370 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49228 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49371 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49237 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49376 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49268 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49269 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49276 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49286 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49316 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49317 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49320 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49323 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49324 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49327 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49329 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49333 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49344 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49345 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49352 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49364 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49373 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49374 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49377 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49359 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49372 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49375 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49378 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49385 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49302 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49304 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49306 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49310 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49311 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49321 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49322 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49330 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49334 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49339 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49343 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49354 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49360 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49379 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49384 81.177.139.41:443	None	None	None
TLS 1.2 192.168.56.101:49386 81.177.139.41:443	None	None	None

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:08 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (20 events)

Time & API	Arguments	Status	Return
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00806b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00806b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00806b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00806c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00806c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00806e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008852d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008852d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00885110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 12, 2021, 6:08 p.m.		1	1	0

One or more processes crashed (36 events)

Time & API	Arguments	Status
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 1370132254+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: 1370132254+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: 1370132254.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 31075664 registers.ecx: 12	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 1370132254+0xf054 @ 0x40f054 1370132254+0xf0a0 @ 0x40f0a0 1370132254+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1370132254+0xefff exception.address: 0x40efff exception.module: 1370132254.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 31075664 registers.ecx: 105	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 1370132254+0xf054 @ 0x40f054 1370132254+0xf0a0 @ 0x40f0a0 1370132254+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1370132254+0xefff exception.address: 0x40efff exception.module: 1370132254.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 31075664 registers.ecx: 73	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 1370132254+0xf054 @ 0x40f054 1370132254+0xf0a0 @ 0x40f0a0 1370132254+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1370132254+0xefff exception.address: 0x40efff exception.module: 1370132254.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 31075664 registers.ecx: 41	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 1370132254+0xf054 @ 0x40f054 1370132254+0xf0a0 @ 0x40f0a0 1370132254+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1370132254+0xefff exception.address: 0x40efff exception.module: 1370132254.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 31075664 registers.ecx: 9	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 2041131341+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: 2041131341+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: 2041131341.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 30485840 registers.ecx: 12	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 2041131341+0xf054 @ 0x40f054 2041131341+0xf0a0 @ 0x40f0a0 2041131341+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 2041131341+0xefff exception.address: 0x40efff exception.module: 2041131341.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 111 registers.ebx: 0 registers.esi: 30485840 registers.ecx: 148	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 2041131341+0xf054 @ 0x40f054 2041131341+0xf0a0 @ 0x40f0a0 2041131341+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 2041131341+0xefff exception.address: 0x40efff exception.module: 2041131341.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 111 registers.ebx: 0 registers.esi: 30485840 registers.ecx: 116	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 2041131341+0xf054 @ 0x40f054 2041131341+0xf0a0 @ 0x40f0a0 2041131341+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 2041131341+0xefff exception.address: 0x40efff exception.module: 2041131341.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 111 registers.ebx: 0 registers.esi: 30485840 registers.ecx: 84	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 2041131341+0xf054 @ 0x40f054 2041131341+0xf0a0 @ 0x40f0a0 2041131341+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 2041131341+0xefff exception.address: 0x40efff exception.module: 2041131341.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 111 registers.ebx: 0 registers.esi: 30485840 registers.ecx: 52	1
__exception__ March 12, 2021, 6:08 p.m.	stacktrace: 2041131341+0xf054 @ 0x40f054 2041131341+0xf0a0 @ 0x40f0a0 2041131341+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 2041131341+0xefff exception.address: 0x40efff exception.module: 2041131341.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4370352 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 111 registers.ebx: 0 registers.esi: 30485840 registers.ecx: 20	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x565bc2 0x561c72 0x5612d9 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x565c51 registers.esp: 3338684 registers.edi: 45437132 registers.eax: 0 registers.ebp: 3338708 registers.edx: 8216368 registers.ebx: 45436988 registers.esi: 45458172 registers.ecx: 0	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x56bfe5 0x56bf29 0x56b98b 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338168 registers.edi: 46027500 registers.eax: 0 registers.ebp: 3338204 registers.edx: 91833592 registers.ebx: 46025640 registers.esi: 46031272 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x56bfe5 0x56bf29 0x56b98b 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338168 registers.edi: 46999072 registers.eax: 0 registers.ebp: 3338204 registers.edx: 91833592 registers.ebx: 46997248 registers.esi: 47002824 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x56bfe5 0x56bf29 0x56b98b 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338168 registers.edi: 47956848 registers.eax: 0 registers.ebp: 3338204 registers.edx: 91833592 registers.ebx: 47955024 registers.esi: 44565436 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x5391f36 0x5391e89 0x56ba0d 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338152 registers.edi: 45043288 registers.eax: 0 registers.ebp: 3338188 registers.edx: 91833592 registers.ebx: 45041476 registers.esi: 45047040 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x5391f36 0x5391e89 0x56ba0d 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338152 registers.edi: 46011224 registers.eax: 0 registers.ebp: 3338188 registers.edx: 91833592 registers.ebx: 46009428 registers.esi: 44554908 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x5391f36 0x5391e89 0x56ba0d 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338152 registers.edi: 45042092 registers.eax: 0 registers.ebp: 3338188 registers.edx: 91833592 registers.ebx: 45040296 registers.esi: 45045844 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x539245d 0x53923a9 0x56ba8f 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 46010104 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 46008296 registers.esi: 46013856 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x539245d 0x53923a9 0x56ba8f 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 47050824 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 47049016 registers.esi: 47054576 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x539245d 0x53923a9 0x56ba8f 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 48091544 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 48089736 registers.esi: 48095296 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x53927a7 0x53926f9 0x56bb11 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 49132368 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 49130544 registers.esi: 44452196 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x53927a7 0x53926f9 0x56bb11 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 45116224 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 45114416 registers.esi: 45119976 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x53927a7 0x53926f9 0x56bb11 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 46159100 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 46157292 registers.esi: 46162852 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x56bfe5 0x56bf29 0x56b98b 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338168 registers.edi: 47206548 registers.eax: 0 registers.ebp: 3338204 registers.edx: 91833592 registers.ebx: 47204724 registers.esi: 47210300 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x56bfe5 0x56bf29 0x56b98b 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338168 registers.edi: 48164036 registers.eax: 0 registers.ebp: 3338204 registers.edx: 91833592 registers.ebx: 48162212 registers.esi: 48167788 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x56bfe5 0x56bf29 0x56b98b 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338168 registers.edi: 49121524 registers.eax: 0 registers.ebp: 3338204 registers.edx: 91833592 registers.ebx: 49119700 registers.esi: 44554744 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x5391f36 0x5391e89 0x56ba0d 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338152 registers.edi: 45057996 registers.eax: 0 registers.ebp: 3338188 registers.edx: 91833592 registers.ebx: 45056200 registers.esi: 45061748 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x5391f36 0x5391e89 0x56ba0d 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338152 registers.edi: 46025932 registers.eax: 0 registers.ebp: 3338188 registers.edx: 91833592 registers.ebx: 46024136 registers.esi: 46029684 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x5391f36 0x5391e89 0x56ba0d 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338152 registers.edi: 46993868 registers.eax: 0 registers.ebp: 3338188 registers.edx: 91833592 registers.ebx: 46992072 registers.esi: 46997620 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x539245d 0x53923a9 0x56ba8f 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 47961848 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 47960040 registers.esi: 47965600 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x539245d 0x53923a9 0x56ba8f 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 49002568 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 49000760 registers.esi: 44610884 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x539245d 0x53923a9 0x56ba8f 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 45346248 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 45344440 registers.esi: 45350000 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x53927a7 0x53926f9 0x56bb11 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 46387000 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 46385192 registers.esi: 46390752 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x53927a7 0x53926f9 0x56bb11 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 47429876 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 47428068 registers.esi: 47433628 registers.ecx: 91834264	1
__exception__ March 12, 2021, 6:09 p.m.	stacktrace: 0x53927a7 0x53926f9 0x56bb11 0x566954 0x5612e3 0x561188 0x5601b3 0x560138 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 dc 0f b6 45 e0 85 c0 74 15 8b ce exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56c223 registers.esp: 3338164 registers.edi: 48472752 registers.eax: 0 registers.ebp: 3338200 registers.edx: 91833592 registers.ebx: 48470944 registers.esi: 48476504 registers.ecx: 91834264	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.109.7.229/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://g.itdenther.ru/1986383539.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://0cl.sldov.ru/2041131341.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sldov.ru/1090905469.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://5uxm.itdenther.ru/SystemNetConfigurationConnectionManagementSectionInternalF
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.bing.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/geoip

Performs some HTTP requests (8 events)

request	POST http://62.109.7.229/
request	GET https://g.itdenther.ru/1986383539.exe
request	GET https://0cl.sldov.ru/2041131341.exe
request	GET https://sldov.ru/1090905469.exe
request	GET https://5uxm.itdenther.ru/SystemNetConfigurationConnectionManagementSectionInternalF
request	GET https://www.google.com/
request	GET https://www.bing.com/
request	GET https://api.ip.sb/geoip

Sends data using the HTTP POST Method (1 event)

request

POST http://62.109.7.229/

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	sldov.ru	description	Russian Federation domain TLD
domain	0cl.sldov.ru	description	Russian Federation domain TLD
domain	g.itdenther.ru	description	Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 300 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02030000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02200000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0073c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00746000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00747000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0073a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02221000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02223000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02224000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ceb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (9 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\2041131341.exe
file	C:\Users\test22\AppData\Local\Temp\1090905469.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\2041131341.exe
file	C:\Users\test22\AppData\Local\Temp\1090905469.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\2041131341.exe
file	C:\Users\test22\AppData\Local\Temp\1090905469.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 12, 2021, 6:08 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00004a00', u'virtual_address': u'0x00026000', u'entropy': 7.914504797068791, u'name': u'.rsrc', u'virtual_size': u'0x000048bc'}

entropy

7.91450479707

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 12, 2021, 6:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 12, 2021, 6:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (50 out of 617 events)

url	http://www.expedia.com/favicon.ico
url	http://uk.ask.com/favicon.ico
url	http://www.priceminister.com/
url	http://crl.identrust.com/DSTROOTCAX3CRL.crl0
url	http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
url	http://www.iask.com/favicon.ico
url	http://www.merlin.com.pl/favicon.ico
url	http://www.cnet.com/favicon.ico
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponseT
url	http://search.nifty.com/
url	http://ns.adobe.com/exif/1.0/
url	http://www.etmall.com.tw/
url	http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
url	http://search.goo.ne.jp/
url	http://fr.wikipedia.org/favicon.ico
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	http://search.chol.com/favicon.ico
url	http://amazon.fr/
url	http://download.microsoft.com
url	http://www.amazon.co.jp/
url	http://www.mtv.com/favicon.ico
url	http://busqueda.aol.com.mx/
url	http://search.live.com/results.aspx?FORM=SOLTDF
url	http://msdn.microsoft.com/
url	http://www.sogou.com/favicon.ico
url	http://www.sify.com/favicon.ico
url	http://yellowpages.superpages.com/
url	http://suche.freenet.de/
url	http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson
url	http://search.aol.com/
url	http://browse.guardian.co.uk/
url	http://www.mercadolibre.com.mx/
url	http://www.auction.co.kr/auction.ico
url	http://www.facebook.com/
url	http://si.wikipedia.org/favicon.ico
url	http://tempuri.org/IConnectionRegister/ValidateUriRouteResponse
url	http://ocsp.digicert.com0
url	http://www.rtl.de/favicon.ico
url	https://www.google.com/favicon.ico
url	http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
url	http://search.msn.com/results.aspx?q=
url	http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0
url	http://search.naver.com/favicon.ico
url	https://www.verisign.com/repository/verisignlogo.gif0D
url	http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/RenewT
url	http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/IssueT
url	http://isrg.trustid.ocsp.identrust.com0
url	http://en.wikipedia.org/favicon.ico

Yara rule detected in process memory (50 out of 142 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	(no description)	rule	ldpreload
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over Toredo network	rule	network_toredo
description	Communications smtp	rule	network_smtp_dotNet
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: AddressBook base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: Connection Manager base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: EditPlus base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: Fontcore base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: Google Chrome base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: IE40 base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: IE4Data base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: IEData base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: WIC base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW March 12, 2021, 6:09 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000714 key_handle: 0x0000071c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: cccdea23cb6761b731b783ddb4d48b113970e001
buffer	Buffer with sha1: d641434b2a0519eecd8c7908540cb54a0e3ba379

Communicates with host for which no DNS query was performed (2 events)

host	13.107.21.200
host	62.109.7.229

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1204 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 12, 2021, 6:08 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

1090905469.exe tried to sleep 8184553 seconds, actually delayed analysis time by 8184553 seconds

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProuct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL®¸à0äªá @ `@XáO ø@<á H.textâ ä `.rsrcø è@@.reloc@ð@B base_address: 0x00400000 process_identifier: 1204 process_handle: 0x00000250	1	1
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: P8hø hh4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÈStringFileInfo¤000004b0, CommentsCSGO Tool8CompanyNameVoteban IncHFileDescriptionVoteban Manager0FileVersion1.2.3.1: InternalNameExiguity.exe> LegalCopyrightVAC Inc 2020@LegalTrademarksVoteban IncB OriginalFilenameExiguity.exe>ProductNameVoteban Client4ProductVersion1.2.3.1< Assembly Version2.51.14.3$êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 1204 process_handle: 0x00000250	1	1
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: à¬1 base_address: 0x00424000 process_identifier: 1204 process_handle: 0x00000250	1	1
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1204 process_handle: 0x00000250	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL®¸à0äªá @ `@XáO ø@<á H.textâ ä `.rsrcø è@@.reloc@ð@B base_address: 0x00400000 process_identifier: 1204 process_handle: 0x00000250	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW March 12, 2021, 6:09 p.m.	key_handle: 0x0000071c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2696 called NtSetContextThread to modify thread in remote process 1204
NtSetContextThread March 12, 2021, 6:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4317610 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000024c process_identifier: 1204	1	0	0

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'size': 262144, u'yara': [{u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature Zero', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'TVo=', u'UHJvY2Vzc29y'], u'meta': {u'ini_date': u'2020-05-27', u'description': u'OS Processor Check Signature Zero', u'author': u'r0d'}, u'name': u'OS_Processor_Check_Zero', u'offsets': {u'h1': [[124762L, 1]], u'mz': [[0L, 0], [49130L, 0], [76617L, 0], [147813L, 0]]}}, {u'strings': [u'T2g7T1xzTg=='], u'meta': {u'date': u'2021-03-11', u'description': u'UltraVNC', u'author': u'r0d'}, u'name': u'UltraVNC_Zero', u'offsets': {u's1': [[28854L, 0]]}}, {u'strings': [u'Q3JlYXRlRmlsZUE=', u'S0VSTkVMMzIuZGxs', u'U2V0RmlsZVBvaW50ZXI=', u'UmVhZEZpbGU=', u'V3JpdGVGaWxl'], u'meta': {u'version': u'0.1', u'description': u'Affect private profile', u'author': u'x0r'}, u'name': u'win_files_operation', u'offsets': {u'f1': [[132300L, 1]], u'c3': [[132718L, 4]], u'c2': [[132968L, 2]], u'c1': [[132718L, 4]], u'c6': [[133442L, 0]], u'c4': [[132824L, 3]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsWindowsGUI', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'Overlay Check', u'author': u'_pusher_'}, u'name': u'HasOverlay', u'offsets': {}}, {u'strings': [], u'meta': {u'date': u'2016-07', u'description': u'DebugData Check', u'author': u'_pusher_'}, u'name': u'HasDebugData', u'offsets': {}}, {u'strings': [u'UmljaA=='], u'meta': {u'date': u'2016-07', u'description': u'Rich Signature Check', u'author': u'_pusher_'}, u'name': u'HasRichSignature', u'offsets': {u'a0': [[192L, 0]]}}], u'sha1': u'a6a2b7c7d8e15ebc3918b212ca6952818fe8cf3a', u'name': u'93e07d6f56400588_2041131341.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Local\\Temp\\2041131341.exe', u'sha512': u'fd4d0175487e06ac8ade388f5c7d43f80bc101cbfb2b2eeefb0b62be281e8eddc99a5a29124ca2bd0c4e25f649b9fe7b6154b7f86b392fadf3194d27651a7a64', u'urls': [], u'crc32': u'A6D76A05', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/9071/files/93e07d6f56400588_2041131341.exe', u'ssdeep': u'3072:sDKW1LgppLRHMY0TBfJvjcTp5XJXgNAqRO:sDKW1Lgbdl0TBBvjc/NgCk', u'sha256': u'93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1468], u'md5': u'526489ddbfd0d84e845ccd132cae5555', u'virustotal': {u'scan_id': u'93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e-1615357872', u'sha1': u'a6a2b7c7d8e15ebc3918b212ca6952818fe8cf3a', u'resource': u'526489ddbfd0d84e845ccd132cae5555', u'verbose_msg': u'Scan finished, information embedded', u'response_code': 1, u'scan_date': u'2021-03-10 06:31:12', u'permalink': u'https://www.virustotal.com/gui/file/93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e/detection/f-93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e-1615357872', u'summary': {u'positives': 45, u'permalink': u'https://www.virustotal.com/gui/file/93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e/detection/f-93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e-1615357872', u'scan_date': u'2021-03-10 06:31:12'}, u'total': 67, u'positives': 45, u'sha256': u'93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e', u'md5': u'526489ddbfd0d84e845ccd132cae5555', u'scans': {u'Bkav': {u'detected': True, u'version': u'1.3.0.9899', u'result': u'W32.AIDetect.malware2', u'update': u'20210309'}, u'Elastic': {u'detected': True, u'version': u'4.0.17', u'result': u'malicious (high confidence)', u'update': u'20210217'}, u'MicroWorld-eScan': {u'detected': True, u'version': u'14.0.409.0', u'result': u'Trojan.GenericKD.45862691', u'update': u'20210310'}, u'FireEye': {u'detected': True, u'version': u'32.44.1.0', u'result': u'Generic.mg.526489ddbfd0d84e', u'update': u'20210310'}, u'CAT-QuickHeal': {u'detected': False, u'version': u'14.00', u'result': None, u'update': u'20210309'}, u'McAfee': {u'detected': True, u'version': u'6.0.6.653', u'result': u'Artemis!526489DDBFD0', u'update': u'20210310'}, u'Cylance': {u'detected': True, u'version': u'2.3.1.101', u'result': u'Unsafe', u'update': u'20210310'}, u'Zillya': {u'detected': False, u'version': u'2.0.0.4309', u'result': None, u'update': u'20210309'}, u'SUPERAntiSpyware': {u'detected': False, u'version': u'5.6.0.1032', u'result': None, u'update': u'20210305'}, u'Sangfor': {u'detected': True, u'version': u'2.9.0.0', u'result': u'Trojan.Win32.Save.a', u'update': u'20210306'}, u'K7AntiVirus': {u'detected': True, u'version': u'11.168.36660', u'result': u'Trojan-Downloader ( 005786501 )', u'update': u'20210310'}, u'Alibaba': {u'detected': True, u'version': u'0.3.0.5', u'result': u'Trojan:MSIL/Generic.3007dbd3', u'update': u'20190527'}, u'K7GW': {u'detected': True, u'version': u'11.168.36660', u'result': u'Trojan-Downloader ( 005786501 )', u'update': u'20210310'}, u'CrowdStrike': {u'detected': True, u'version': u'1.0', u'result': u'win/malicious_confidence_100% (W)', u'update': u'20210203'}, u'Arcabit': {u'detected': True, u'version': u'1.0.0.881', u'result': u'Trojan.Generic.D2BBCF23', u'update': u'20210310'}, u'Baidu': {u'detected': False, u'version': u'1.0.0.2', u'result': None, u'update': u'20190318'}, u'Cyren': {u'detected': True, u'version': u'6.3.0.2', u'result': u'W32/Trojan.TJCG-9286', u'update': u'20210310'}, u'Symantec': {u'detected': True, u'version': u'1.14.0.0', u'result': u'ML.Attribute.HighConfidence', u'update': u'20210309'}, u'TotalDefense': {u'detected': False, u'version': u'37.1.62.1', u'result': None, u'update': u'20210310'}, u'APEX': {u'detected': True, u'version': u'6.140', u'result': u'Malicious', u'update': u'20210307'}, u'Avast': {u'detected': False, u'version': u'21.1.5827.0', u'result': None, u'update': u'20210310'}, u'ClamAV': {u'detected': False, u'version': u'0.103.1.0', u'result': None, u'update': u'20210309'}, u'Kaspersky': {u'detected': True, u'version': u'15.0.1.13', u'result': u'HEUR:Trojan.Win32.Generic', u'update': u'20210310'}, u'BitDefender': {u'detected': True, u'version': u'7.2', u'result': u'Trojan.GenericKD.45862691', u'update': u'20210310'}, u'NANO-Antivirus': {u'detected': False, u'version': u'1.0.146.25265', u'result': None, u'update': u'20210310'}, u'Paloalto': {u'detected': True, u'version': u'1.0', u'result': u'generic.ml', u'update': u'20210310'}, u'AegisLab': {u'detected': True, u'version': u'4.2', u'result': u'Trojan.Win32.Generic.4!c', u'update': u'20210310'}, u'Tencent': {u'detected': True, u'version': u'1.0.0.1', u'result': u'Msil.Trojan-downloader.Agent.Stua', u'update': u'20210310'}, u'Ad-Aware': {u'detected': True, u'version': u'3.0.16.117', u'result': u'Trojan.GenericKD.45862691', u'update': u'20210310'}, u'TACHYON': {u'detected': False, u'version': u'2021-03-10.01', u'result': None, u'update': u'20210310'}, u'Emsisoft': {u'detected': True, u'version': u'2018.12.0.1641', u'result': u'Trojan.GenericKD.45862691 (B)', u'update': u'20210310'}, u'Comodo': {u'detected': False, u'version': u'33331', u'result': None, u'update': u'20210310'}, u'F-Secure': {u'detected': True, u'version': u'12.0.86.52', u'result': u'Trojan.TR/Dropper.Gen', u'update': u'20210310'}, u'DrWeb': {u'detected': False, u'version': u'7.0.49.9080', u'result': None, u'update': u'20210310'}, u'VIPRE': {u'detected': False, u'version': u'90974', u'result': None, u'update': u'20210310'}, u'TrendMicro': {u'detected': False, u'version': u'11.0.0.1006', u'result': None, u'update': u'20210310'}, u'McAfee-GW-Edition': {u'detected': True, u'version': u'v2019.1.2+3728', u'result': u'BehavesLike.Win32.Generic.dm', u'update': u'20210310'}, u'CMC': {u'detected': False, u'version': u'2.10.2019.1', u'result': None, u'update': u'20210308'}, u'Sophos': {u'detected': True, u'version': u'1.0.2.0', u'result': u'Mal/Generic-S', u'update': u'20210310'}, u'SentinelOne': {u'detected': True, u'version': u'5.0.0.20', u'result': u'Static AI - Malicious PE', u'update': u'20210215'}, u'ESET-NOD32': {u'detected': True, u'version': u'22939', u'result': u'a variant of MSIL/TrojanDownloader.Agent.HLP', u'update': u'20210310'}, u'Webroot': {u'detected': True, u'version': u'1.0.0.403', u'result': u'W32.Trojan.Gen', u'update': u'20210310'}, u'Avira': {u'detected': True, u'version': u'8.3.3.12', u'result': u'TR/Dropper.Gen', u'update': u'20210310'}, u'Antiy-AVL': {u'detected': False, u'version': u'3.0.0.1', u'result': None, u'update': u'20210310'}, u'Kingsoft': {u'detected': False, u'version': u'2017.9.26.565', u'result': None, u'update': u'20210310'}, u'Gridinsoft': {u'detected': True, u'version': u'1.0.31.122', u'result': u'Trojan.Win32.Downloader.sa', u'update': u'20210310'}, u'Microsoft': {u'detected': True, u'version': u'1.1.17900.7', u'result': u'Trojan:Script/Phonzy.A!ml', u'update': u'20210310'}, u'ViRobot': {u'detected': False, u'version': u'2014.3.20.0', u'result': None, u'update': u'20210310'}, u'ZoneAlarm': {u'detected': True, u'version': u'1.0', u'result': u'HEUR:Trojan.Win32.Generic', u'update': u'20210310'}, u'GData': {u'detected': True, u'version': u'A:25.28895B:27.22234', u'result': u'Trojan.GenericKD.45862691', u'update': u'20210310'}, u'Cynet': {u'detected': True, u'version': u'4.0.0.25', u'result': u'Malicious (score: 100)', u'update': u'20210310'}, u'AhnLab-V3': {u'detected': False, u'version': u'3.19.5.10130', u'result': None, u'update': u'20210310'}, u'Acronis': {u'detected': True, u'version': u'1.1.1.81', u'result': u'suspicious', u'update': u'20210211'}, u'BitDefenderTheta': {u'detected': True, u'version': u'7.2.37796.0', u'result': u'Gen:NN.ZexaF.34608.qq3@aKt@Nmg', u'update': u'20210304'}, u'MAX': {u'detected': True, u'version': u'2019.9.16.1', u'result': u'malware (ai score=82)', u'update': u'20210310'}, u'VBA32': {u'detected': False, u'version': u'4.4.1', u'result': None, u'update': u'20210309'}, u'Malwarebytes': {u'detected': True, u'version': u'4.2.1.18', u'result': u'Spyware.RedLineStealer', u'update': u'20210308'}, u'Zoner': {u'detected': False, u'version': u'0.0.0.0', u'result': None, u'update': u'20210309'}, u'TrendMicro-HouseCall': {u'detected': True, u'version': u'10.0.0.1040', u'result': u'TROJ_GEN.R06CH0CC821', u'update': u'20210310'}, u'Rising': {u'detected': True, u'version': u'25.0.0.26', u'result': u'Dropper.Generic!8.35E (CLOUD)', u'update': u'20210310'}, u'Yandex': {u'detected': False, u'version': u'5.5.2.24', u'result': None, u'update': u'20210309'}, u'Ikarus': {u'detected': True, u'version': u'0.1.5.2', u'result': u'Trojan-Downloader.MSIL.Agent', u'update': u'20210309'}, u'MaxSecure': {u'detected': False, u'version': u'1.0.0.1', u'result': None, u'update': u'20210306'}, u'Fortinet': {u'detected': True, u'version': u'6.2.142.0', u'result': u'W32/Generic.HLP!tr', u'update': u'20210310'}, u'Cybereason': {u'detected': True, u'version': u'1.2.449', u'result': u'malicious.7d8e15', u'update': u'20210307'}, u'Panda': {u'detected': True, u'version': u'4.6.4.2', u'result': u'Trj/Genetic.gen', u'update': u'20210309'}, u'Qihoo-360': {u'detected': True, u'version': u'1.0.0.1120', u'result': u'Win32/TrojanDropper.Generic.HwoCyBoA', u'update': u'20210310'}}}}

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\1090905469.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2696 resumed a thread in remote process 1204
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 1204	1	0	0

Executed a process and injected code into it, probably while unpacking (47 events)

Time & API	Arguments	Status	Return
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 1468	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1468	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 1468	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 1468	1	0
CreateProcessInternalW March 12, 2021, 6:08 p.m.	thread_identifier: 2504 thread_handle: 0x00000714 process_identifier: 1536 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\2041131341.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\2041131341.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\2041131341.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000071c	1	1
CreateProcessInternalW March 12, 2021, 6:08 p.m.	thread_identifier: 2772 thread_handle: 0x00000714 process_identifier: 2696 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1090905469.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1090905469.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1090905469.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000728	1	1
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 1536	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1536	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 1536	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 1536	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000618 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000638 suspend_count: 1 process_identifier: 2696	1	0
NtGetContextThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2696	1	0
NtGetContextThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000658 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2696	1	0
CreateProcessInternalW March 12, 2021, 6:08 p.m.	thread_identifier: 2668 thread_handle: 0x0000024c process_identifier: 1204 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\RegAsm.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\RegAsm.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000250	1	1
NtGetContextThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000024c	1	0
NtAllocateVirtualMemory March 12, 2021, 6:08 p.m.	process_identifier: 1204 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250	1	0
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL®¸à0äªá @ `@XáO ø@<á H.textâ ä `.rsrcø è@@.reloc@ð@B base_address: 0x00400000 process_identifier: 1204 process_handle: 0x00000250	1	1
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: base_address: 0x00402000 process_identifier: 1204 process_handle: 0x00000250	1	1
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: P8hø hh4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÈStringFileInfo¤000004b0, CommentsCSGO Tool8CompanyNameVoteban IncHFileDescriptionVoteban Manager0FileVersion1.2.3.1: InternalNameExiguity.exe> LegalCopyrightVAC Inc 2020@LegalTrademarksVoteban IncB OriginalFilenameExiguity.exe>ProductNameVoteban Client4ProductVersion1.2.3.1< Assembly Version2.51.14.3$êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 1204 process_handle: 0x00000250	1	1
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: à¬1 base_address: 0x00424000 process_identifier: 1204 process_handle: 0x00000250	1	1
WriteProcessMemory March 12, 2021, 6:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1204 process_handle: 0x00000250	1	1
NtSetContextThread March 12, 2021, 6:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4317610 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000024c process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:08 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:09 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:09 p.m.	thread_handle: 0x000006f4 suspend_count: 1 process_identifier: 1204	1	0
NtResumeThread March 12, 2021, 6:09 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 1204	1	0
NtGetContextThread March 12, 2021, 6:09 p.m.	thread_handle: 0x0000017c	1	0
NtGetContextThread March 12, 2021, 6:09 p.m.	thread_handle: 0x0000017c	1	0
NtResumeThread March 12, 2021, 6:09 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 1204	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Dopping.1
FireEye	Generic.mg.8ca675896f6c9ad9
McAfee	Artemis!8CA675896F6C
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 00575f9d1 )
Alibaba	Trojan:MSIL/Generic.a5fb21f7
K7GW	Trojan-Downloader ( 00575f9d1 )
Cybereason	malicious.96f6c9
Arcabit	Trojan.Dopping.1
Cyren	W32/Trojan.EVRI-1859
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Dopping.1
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.4!c
Tencent	Win32.Trojan.Generic.Edxu
Ad-Aware	Gen:Variant.Dopping.1
Sophos	Mal/Generic-S
DrWeb	Trojan.PWS.Siggen2.62670
McAfee-GW-Edition	BehavesLike.Win32.Generic.dt
Emsisoft	Gen:Variant.Dopping.1 (B)
Ikarus	Trojan-Downloader.MSIL.Small
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CIQ
eGambit	Unsafe.AI_Score_99%
Avira	TR/Dropper.Gen
MAX	malware (ai score=100)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Script/Phonzy.A!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Dopping.1
Cynet	Malicious (score: 100)
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34608.qq3@aiYpnFi
ALYac	Gen:Variant.Dopping.1
Malwarebytes	Spyware.RedLineStealer
TrendMicro-HouseCall	TROJ_GEN.R002H0CC921
Rising	Dropper.Generic!8.35E (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Small.CIQ!tr.dldr
AVG	Win32:Trojan-gen
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/TrojanDropper.Generic.HwoCzCUA

1370132254.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All