Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 23, 2021, 10:28 a.m.	March 23, 2021, 10:35 a.m.

Size	9.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e038387f7b4b7880c48d225db4b769d2`
SHA256	`dd7211d8c5d8b0e6290b9eb79787d64b73a91bde129ccc2d83525c4a8d24a531`
CRC32	`B4FEEDEB`
ssdeep	`192:1BZRT7uWWtjqTGCaGMSsEDesyNGv0bQFViTtuwiTtO:nZNKHR3CaLSs2ePG7c5uL5`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

DIqMUyT98Untp5QhexOCjQdS.exe "C:\Users\test22\AppData\Local\Temp\DIqMUyT98Untp5QhexOCjQdS.exe"
9068
- ziZjJAc0NwbgvftLaeQq811V.exe "C:\Users\test22\Documents\ziZjJAc0NwbgvftLaeQq811V.exe"
  8264
- cPnch54ZfXANkhAxqTXi43tj.exe "C:\Users\test22\Documents\cPnch54ZfXANkhAxqTXi43tj.exe"
  7012
- Cl6NvkY3niDsMBPm6svsQs42.exe "C:\Users\test22\Documents\Cl6NvkY3niDsMBPm6svsQs42.exe"
  6324
- gDpPmpnA3gEgWXNdwDjoP6jG.exe "C:\Users\test22\Documents\gDpPmpnA3gEgWXNdwDjoP6jG.exe"
  7312
- 2d4gTaMVeNxg4QC1DGZrnzZx.exe "C:\Users\test22\Documents\2d4gTaMVeNxg4QC1DGZrnzZx.exe"
  7804

Name	Response	Post-Analysis Lookup
digitalassets.ams3.digitaloceanspaces.com	A 5.101.110.225	5.101.110.225
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
www.investinae.com	CNAME investinae.com A 108.167.143.77	108.167.143.77
iplogger.org	A 88.99.66.31	88.99.66.31
msiamericas.com	A 141.136.39.190	141.136.39.190
d0wnl0ads.online
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	104.21.66.169
aretywer.xyz	A 45.144.30.78	45.144.30.78
whatitis.site	A 92.63.99.163 A 193.38.55.33	193.38.55.33
mytoolsprivacy.site
jg3.3uag.pw

IP Address	Status	Action
103.124.106.203	Active	Moloch
104.21.66.169	Active	Moloch
104.23.99.190	Active	Moloch
108.167.143.77	Active	Moloch
141.136.39.190	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
188.93.233.223	Active	Moloch
193.38.55.33	Active	Moloch
45.144.30.78	Active	Moloch
5.101.110.225	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49813 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49806 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49811 -> 103.124.106.203:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49814 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.124.106.203:80 -> 192.168.56.102:49811	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49811	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49817 -> 141.136.39.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49817 -> 141.136.39.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49817 -> 141.136.39.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:61998 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 193.38.55.33:80 -> 192.168.56.102:49809	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.38.55.33:80 -> 192.168.56.102:49809	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49812 -> 188.93.233.223:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 193.38.55.33:80 -> 192.168.56.102:49809	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49808 -> 104.23.99.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 108.167.143.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 188.93.233.223:80 -> 192.168.56.102:49812	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 188.93.233.223:80 -> 192.168.56.102:49812	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49824 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.136.39.190:443 -> 192.168.56.102:49817	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.136.39.190:443 -> 192.168.56.102:49817	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49806 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49808 104.23.99.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a
TLSv1 192.168.56.102:49824 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 23, 2021, 10:28 a.m.			0	0
IsDebuggerPresent March 23, 2021, 10:28 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 23, 2021, 10:28 a.m.		1	1	0

One or more processes crashed (50 out of 196610 events)

Time & API	Arguments	Status
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 1936549001 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1
__exception__ March 23, 2021, 10:28 a.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 zizjjac0nwbgvftlaeqq811v+0x14e62 @ 0x414e62 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 13107200 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 6696	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatitis.site/dlc/mixinte
suspicious_features	Connection to IP address	suspicious_request	GET http://103.124.106.203/cof4/inst.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://188.93.233.223/proxy1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ixtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/mH2EJxkv
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1lA5k

Performs some HTTP requests (8 events)

request	GET http://whatitis.site/dlc/mixinte
request	GET http://103.124.106.203/cof4/inst.exe
request	GET http://188.93.233.223/proxy1.exe
request	GET http://file.ekkggr3.com/iuww/jvppp.exe
request	GET https://iplogger.org/1ixtu7
request	GET https://pastebin.com/raw/mH2EJxkv
request	GET https://iplogger.org/1hVa87
request	GET https://iplogger.org/1lA5k

Allocates read-write-execute memory (usually to unpack itself) (41 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:28 a.m.	process_identifier: 8264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c9c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 6324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009cc000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7312 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7312 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7312 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 663552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c3e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7804 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7804 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7804 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 10:29 a.m.	process_identifier: 7804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 663552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cde000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

DIqMUyT98Untp5QhexOCjQdS.exe tried to sleep 161 seconds, actually delayed analysis time by 161 seconds

Creates executable files on the filesystem (50 out of 8270 events)

file	C:\Users\test22\Documents\NFq5m4udSSTnNu9X4BwJLumb.exe
file	C:\Users\test22\Documents\Ilbovq1ONHHs27ju35TJ6sDW.exe
file	C:\Users\test22\Documents\MQSCTelgZH5aUhBIwi5eqvD8.exe
file	C:\Users\test22\Documents\h3NLFE3FrzcDGPvVah1uLIbq.exe
file	C:\Users\test22\Documents\nRWUHUMl5Jtn2orpACySCFwm.exe
file	C:\Users\test22\Documents\D3POtA6gDmNxj6Do9zOEI2v8.exe
file	C:\Users\test22\Documents\2Am1FcxC2mo8OaYkCxMaw7J7.exe
file	C:\Users\test22\Documents\D5orCSJ278vIsM0wp7eAVMnT.exe
file	C:\Users\test22\Documents\CfiPCKA0QjfkI4wcWsAPC1Wx.exe
file	C:\Users\test22\Documents\0WSzL4Fg5EgI00ASNIaObmjA.exe
file	C:\Users\test22\Documents\R9aQ5F1sD6Izr3YJWtHKl2cQ.exe
file	C:\Users\test22\Documents\lTXibNaZhIxg9Tbc0aajryog.exe
file	C:\Users\test22\Documents\3isrq6kdYpxWGNeVhifXlZ9g.exe
file	C:\Users\test22\Documents\YOZcIu2XcDlEvWgIK4pH4hsk.exe
file	C:\Users\test22\Documents\4tmdAknKtjAd8hiQnBOCwpKQ.exe
file	C:\Users\test22\Documents\rCuHYToNB5TT1Uc9dxLh4Us8.exe
file	C:\Users\test22\Documents\GD3Px8EqDNyqcPYCzMXbivlB.exe
file	C:\Users\test22\Documents\xDnLRmfLNlOYtqpmEWsSslIT.exe
file	C:\Users\test22\Documents\dI2zlm20PRPiZ6QL5xMNOkMQ.exe
file	C:\Users\test22\Documents\hUJMpUbVZ4vdyzBAPBv7hITq.exe
file	C:\Users\test22\Documents\f6u6nxlkuOfYLFlZwpGrKYpR.exe
file	C:\Users\test22\Documents\JTFd31WZyOZ1hptUqtnEwAEh.exe
file	C:\Users\test22\Documents\2vzazqPfxwykpRYKtYxKOobg.exe
file	C:\Users\test22\Documents\sMrQsNORpssxDhOWJZ4XEfnL.exe
file	C:\Users\test22\Documents\nKJ9wv3nej8ZvlWmD9OrgLg7.exe
file	C:\Users\test22\Documents\CHv4n1o8adUxWS4d1kWcJpV9.exe
file	C:\Users\test22\Documents\zAC2DNSnOFJL0LCCsNASdoNN.exe
file	C:\Users\test22\Documents\FDRkvX3iHtQqNS5xBEH2bqvN.exe
file	C:\Users\test22\Documents\dQok7DZJ0W6ZVdMcQKsdtaKV.exe
file	C:\Users\test22\Documents\GtQsrEUkBPLWDJMJJvkY41Ao.exe
file	C:\Users\test22\Documents\nIrM6hxIO3kHtm8uh6265Z2y.exe
file	C:\Users\test22\Documents\7gShPx1rUYz887U5qpYlZD3t.exe
file	C:\Users\test22\Documents\9WT8oOIPbevt60awUiFcH7Tb.exe
file	C:\Users\test22\Documents\O13N0iiiFCP3bBrS9mu6kJCB.exe
file	C:\Users\test22\Documents\TgFncR1T8PltjWkWWKbGLKUe.exe
file	C:\Users\test22\Documents\WULqOmdiEcl9dM3OggktQxzy.exe
file	C:\Users\test22\Documents\0CUU9CawXR7FZGR8Fmhu56xB.exe
file	C:\Users\test22\Documents\cLfOYdXssonmDKeXD0uqD43Q.exe
file	C:\Users\test22\Documents\O185rKlZjlJYptMLQMM7SIXI.exe
file	C:\Users\test22\Documents\pR9GHLujoKkItbA8RWrwrjP6.exe
file	C:\Users\test22\Documents\HmcbPGf3WAgl18DSa731LpYS.exe
file	C:\Users\test22\Documents\kKgdSun001IwHr8h7zuYDRrM.exe
file	C:\Users\test22\Documents\ywtBpLxX0yqQv7eH9lmzAVWV.exe
file	C:\Users\test22\Documents\bJpQrdE3n456OhTXJCVT0SK4.exe
file	C:\Users\test22\Documents\6AFK94BqYUj95mbdNlpfAyal.exe
file	C:\Users\test22\Documents\u9WI31vjOVbdIXusWBQSsvKK.exe
file	C:\Users\test22\Documents\SDBqztYMpOSQpHPkDtDLPEqC.exe
file	C:\Users\test22\Documents\VU5I9rAQcTOx263V7c0mVM6U.exe
file	C:\Users\test22\Documents\BnFqT1VMezQ2d2WI8IlON5md.exe
file	C:\Users\test22\Documents\qCsfmtriyU0e1HhJLS9DXBbU.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 23, 2021, 10:29 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004ac filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\8WY8bYJ.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\8WY8bYJ.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0
NtCreateFile March 23, 2021, 10:29 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000000c8 filepath: C:\ProgramData\w4H1foqXL.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\ProgramData\w4H1foqXL.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0

Creates a suspicious process (2 events)

cmdline	C:\Users\test22\Documents\Heg5x4iuLD2uXP4fuo7XXcMd.exe
cmdline	C:\Users\test22\Documents\Skx4y4gS49uH7nvZTc2hWCmd.exe

Drops a binary and executes it (4 events)

file	C:\Users\test22\Documents\ziZjJAc0NwbgvftLaeQq811V.exe
file	C:\Users\test22\Documents\Cl6NvkY3niDsMBPm6svsQs42.exe
file	C:\Users\test22\Documents\gDpPmpnA3gEgWXNdwDjoP6jG.exe
file	C:\Users\test22\Documents\tqVUrqbNDrHDGpddWmBbfRQH.exe

Executes one or more WMI queries (1 event)

wmi	SELECT Caption FROM Win32_OperatingSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 23, 2021, 10:28 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 23, 2021, 10:29 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 23, 2021, 10:29 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 23, 2021, 10:29 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 23, 2021, 10:29 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 23, 2021, 10:29 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 23, 2021, 10:29 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1

Uses Windows utilities for basic Windows functionality (20 events)

cmdline	C:\Users\test22\Documents\Muq21uSefAKwTKckhF0fmdSc.exe
cmdline	C:\Users\test22\Documents\d1NqoYHHAuPrn8nxafBKD1aT.exe
cmdline	C:\Users\test22\Documents\g74xts1IzqfNOiV9oIZIZxsC.exe
cmdline	C:\Users\test22\Documents\m6yQVfvUuwKmLTJ8Tz5JeraT.exe
cmdline	C:\Users\test22\Documents\lehQ1i39yP2vZIqzam8jddSc.exe
cmdline	C:\Users\test22\Documents\jxFWIlxT93netj0eeEDLfaat.exe
cmdline	C:\Users\test22\Documents\Hs2goYAiE0rflL85UuZyz0Sc.exe
cmdline	C:\Users\test22\Documents\zuxluTEBX4IcUgOpNTxB5vAt.exe
cmdline	C:\Users\test22\Documents\GdFSDcHTCFZ6gg7964ny4vSC.exe
cmdline	C:\Users\test22\Documents\qXv2u6GJ7F4yRwDbsEAjZhSc.exe
cmdline	C:\Users\test22\Documents\LIa8rlp9SJcCiwMxkH5XDnaT.exe
cmdline	C:\Users\test22\Documents\pPYlTv6twZjOy8FF2T0FteSc.exe
cmdline	C:\Users\test22\Documents\qj2fyLdYxUNVsgQPThAwnFsc.exe
cmdline	C:\Users\test22\Documents\5HcK1vrHTyYQ1dPyVDFyoDIR.exe
cmdline	C:\Users\test22\Documents\9ytoAhQJJwHMMkvo2d1xIiAt.exe
cmdline	C:\Users\test22\Documents\wOjCJHOl1jstRulkHhPQjcsC.exe
cmdline	C:\Users\test22\Documents\Tho7vhxTWCIJXoERR5uSyqSc.exe
cmdline	C:\Users\test22\Documents\nATEOZ2tmMPStWnASGchVKsC.exe
cmdline	C:\Users\test22\Documents\GWsUOI8P7zt6vb4jRv8BLeat.exe
cmdline	C:\Users\test22\Documents\uehBy4A3qJouZxs1lEfx7GsC.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: f4b90461575f862f28dbc1d91fb2ac91d68e3716

Communicates with host for which no DNS query was performed (3 events)

host	103.124.106.203
host	172.217.25.14
host	188.93.233.223

Attempts to identify installed AV products by registry key (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AVplFgNVunMyPDGdKqaolFbSqa8NFgJg

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 23, 2021, 10:28 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (50 out of 8276 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CeIPKJhi1mVsRGM2AWYnbjC3lrllncG7	reg_value	C:\Users\test22\Documents\ziZjJAc0NwbgvftLaeQq811V.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xRTPwfddJDLnjNhT8PnwAqtuX25K0Wij	reg_value	C:\Users\test22\Documents\rDgo2NqEP3pJKB4TSXqldN4d.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ii23jTnxemGfiRrTmm2dlMYAocXww3Uj	reg_value	C:\Users\test22\Documents\cPnch54ZfXANkhAxqTXi43tj.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\eirDxtak3RCtQs4fWQCmEFfVK1OH51Ak	reg_value	C:\Users\test22\Documents\gDpPmpnA3gEgWXNdwDjoP6jG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DW35eSoCQbcsr55ruIawfLLfHSkDaftk	reg_value	C:\Users\test22\Documents\RhA9jog3LRkUKou6h2af1reZ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KXyMsllvs1pF8s6JuhJ6HcSFC8GsuAUU	reg_value	C:\Users\test22\Documents\Cl6NvkY3niDsMBPm6svsQs42.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\FsJte3BrhVY4qiXiWIAzb7t3U25IBlvu	reg_value	C:\Users\test22\Documents\rECXwLKB6SAVVJnNwl8si7us.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8QZm72p5jokVQTg5l6iIJtHlVr4lPVxY	reg_value	C:\Users\test22\Documents\TUSDCbgDQTyAvthNOaVa64QH.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IxQQ8EqO0LSGOu3r1KeQS9dJu9rzgxC5	reg_value	C:\Users\test22\Documents\DKEvB4FXn2aHIL644ayAWI8P.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\UGf8W0rDJW5ZHpDCv5EGtgQ4ThTZo1Rd	reg_value	C:\Users\test22\Documents\LzmOnzZjMMQ630pJgHILnr6I.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0kpzhSZSFbgnugsUttlgtu9DfcVibj0D	reg_value	C:\Users\test22\Documents\2d4gTaMVeNxg4QC1DGZrnzZx.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\llTF600fldjnz9iW5ZsOSgSHVyKWl6zK	reg_value	C:\Users\test22\Documents\EHqsvWxMyfbduYGhXF83N3DG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TMtIpe3ooZkP2YTNJukWoBS3Gxz98A9O	reg_value	C:\Users\test22\Documents\DkHJDrP7o62RycrXgm8yLzxF.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\30B2p4pnaVc0icPCcZUaY3AoRrqOVi9W	reg_value	C:\Users\test22\Documents\xC008HRKCNnZ2bfHTuoaPaaS.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zWk7ObR1WFO9fI6C4M2Y4epmHzttkKQk	reg_value	C:\Users\test22\Documents\li7HFZeHi99g9pj0em8zFA3A.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\q7zYriRMzoVi0NNXTvqwUwMieXDoQYcJ	reg_value	C:\Users\test22\Documents\o6Rtzh3GrHJ3ajVWp542IfGV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\uR4Tem6aLLr4LVqyWh6XraUq1l7tyFVh	reg_value	C:\Users\test22\Documents\05C1reZJz7EwOxfcrgjWyTB4.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\7Nc2pMmG0K9EOQOQ1tWEzRlQUl3EFDKR	reg_value	C:\Users\test22\Documents\4HGZjFpNBnkCFkQWzuARWnNU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mLhEShAw9sJcz2nFMhDVFppIdViVoh9v	reg_value	C:\Users\test22\Documents\4wbWnwhyBeL5lMHiftZnRIeq.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fZl78pIbtYKDJL0tBj2qtxFyl6PTGPpI	reg_value	C:\Users\test22\Documents\RvtbOcgddZ52DotmGUatFJk6.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\UwWCayVdsC2XPA2dFEZPnaU4dUzZhJ1Q	reg_value	C:\Users\test22\Documents\Lw6z1iexRdJodqc4ersfR4Ms.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bbiF955iLlxBgwQnq6H7d3GXpWkStovm	reg_value	C:\Users\test22\Documents\jNeFMbXcIq6byFpdzOaNf6E4.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VLZnVmyhzK35IguXd4MFn2FCYhU6HNxB	reg_value	C:\Users\test22\Documents\Ikou2SdMuYQNSn7C8wgizHah.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GXOxR1ZmX2vBHDfmCEg3f6SXn258H1Fz	reg_value	C:\Users\test22\Documents\KGZr201IjtXIuB4cBIF55U4c.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\F0KZ6affw5zKbAA9NykuLaGuh6Uo9OAL	reg_value	C:\Users\test22\Documents\M6lfmD0rTuv1Q2V8nc21yA7J.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\uZ2AG0gh5nM9kOFwEre6VwqXZrLFlAvv	reg_value	C:\Users\test22\Documents\8cZv3bu2PPFUDKgnc3nAaN7o.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tfkYoa652adzNmMU5FMxWQZ1o7StECCe	reg_value	C:\Users\test22\Documents\fuBdjuwZtiZZ8hDNx16ssAT8.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GturHM0zX9YK1ILhV3L2t1xa7GEcOap4	reg_value	C:\Users\test22\Documents\bCuEJXuTlehhDNALomxmyglc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5TtBIYk7TdtjKv3SrwPBstlIxiB8Iuis	reg_value	C:\Users\test22\Documents\bS8ZnDLYnrJEzzTgaQR5VssO.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\slNjXmyi5AAaQk8hfB4g9PBDNVlKh9P2	reg_value	C:\Users\test22\Documents\jteTTKQOGLuVGtVpW8NjdrfL.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\jJWCAoB5uHM79QkxKaKyz5US6zK15xGP	reg_value	C:\Users\test22\Documents\OTks6r0eWLaGt4YwApDcw8Ld.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zDFLeJ96B602HxcV5boUktjfCawpgtat	reg_value	C:\Users\test22\Documents\HHJxVyesKeVlsbwtFQRWyXnn.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ekIEXUaRfGYlzKmmOnzLJx4Ixe1kTEAK	reg_value	C:\Users\test22\Documents\df7RtTNAeYjvl4mRx5aWtTDF.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qAR2c08bGOK7XecFApN2hZmwDORg54qj	reg_value	C:\Users\test22\Documents\b1xIKJnK7RPefBbnSxIFd26q.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XfzNibgMhkCPBRNP7GitAV4j8dL1y251	reg_value	C:\Users\test22\Documents\5HcK1vrHTyYQ1dPyVDFyoDIR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kPOEQoXppKQze0TdgqbymoH9qHB7CWWk	reg_value	C:\Users\test22\Documents\9LxW6ej1SMtQb9xD000ifYQB.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IPYJmamSxp4sEmOCFx9iD0PshBZpVind	reg_value	C:\Users\test22\Documents\5vwqPeloyElRt7jAhXBy7bZ5.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9qllA77PBbWNFO6mvlHuWMpqFfgVyeBf	reg_value	C:\Users\test22\Documents\W0h9FcBYbSdDC064I9tJc02S.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\A4ffblaha1P0OgvVNnYJKEMWpmSsFKvz	reg_value	C:\Users\test22\Documents\7P9Z1aYdVNBlesz4DGY0tI5x.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sIzzSsbQFagCHzaUloWr2j4q6wWDgqFi	reg_value	C:\Users\test22\Documents\TMZ642BuwdLmc9pgVCnFtvm6.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OI2gWYtZV8bnkpQZMTp7C2NTW0bMM9Jp	reg_value	C:\Users\test22\Documents\kdOvDMcDB5hBcmZglTdFY4DI.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\4iJg7hNVzwNfHWFQlCv4MtJl4eJHFDaT	reg_value	C:\Users\test22\Documents\ZFh4T5rnLIqeKv56CE3FPGFV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ZhlcXFQvW4e5WVeaWH91EuEepcJcjN9y	reg_value	C:\Users\test22\Documents\AL9uwLpo4UpYhazq8neMULJL.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dGx46yMI4q2hAQ0J0KxKsaivIfTfXwnv	reg_value	C:\Users\test22\Documents\CyVOkMQzE3Cn53UnJD0MLRHp.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iCwaervHCH0UfWueRhdyrTuV2aRralRt	reg_value	C:\Users\test22\Documents\qpudZW3Qr3sPAwn2NqWBd76C.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RbhEZDqbzHlybX5ywdpGG1ZjCavi1WQk	reg_value	C:\Users\test22\Documents\sr5Wjcv9IlM35TX151u5dIUO.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\C8B9SIjd0AbvSx4G3kMVxk1dANm6NQGI	reg_value	C:\Users\test22\Documents\WqFH4qjF4vDyrjZi65J9dOHa.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Gi8FfnQk4SMnr7bTxZJNmKWW7c4JKNGv	reg_value	C:\Users\test22\Documents\ioF6okwwLk8qHoPJBDG3Cwmc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LmICsGaqMbmEHVrGIl3OYh5VB0iXHdIl	reg_value	C:\Users\test22\Documents\BnzGlrQiUXwyblbDlxFmmZz5.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qxB2hCitSAQNarh4vpQR55Vo4SRI9HFM	reg_value	C:\Users\test22\Documents\x449jNzN7GmA9X6QF9dBglho.exe

Loads a driver (6 events)

Time & API	Arguments	Return
NtLoadDriver March 23, 2021, 10:29 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\2nx7w05wXt6P	3221225473
NtLoadDriver March 23, 2021, 10:29 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\bGIDRb2JifD6dU	3221225473
NtLoadDriver March 23, 2021, 10:29 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\p7045idDVhxw	3221225473
NtLoadDriver March 23, 2021, 10:29 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\4HZ0aIMX032q0	3221225473
NtLoadDriver March 23, 2021, 10:29 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\2qE006Ezq66MZYp	3221225473
NtLoadDriver March 23, 2021, 10:29 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\5yh6F26Z	3221225473

Uses Sysinternals tools in order to add additional command line functionality (21 events)

cmdline	C:\Users\test22\Documents\bcM2uZLuf7Ab48g87ytKUtru.exe
cmdline	C:\Users\test22\Documents\61h1YW4mfHX0sheWQonogtDu.exe
cmdline	C:\Users\test22\Documents\YXAEIFBowk1jhelv2WiHxXdu.exe
cmdline	C:\Users\test22\Documents\iOvgAhdZ6HvBGe2GO1nqqMrU.exe
cmdline	C:\Users\test22\Documents\boCn3ZhTAH8MMds8rx3N0UdU.exe
cmdline	C:\Users\test22\Documents\gtZhTIXVQjQLmy5gKTynzORu.exe
cmdline	C:\Users\test22\Documents\ojRrJd3PbpnsgFDnmenQLlDu.exe
cmdline	C:\Users\test22\Documents\250ft0NbxedTm6dcGG7XYADU.exe
cmdline	C:\Users\test22\Documents\Bc7wDqiNvRRx106ikQ6Uwbdu.exe
cmdline	C:\Users\test22\Documents\Z9Jly7MZ4CJeL9HdFupD6Odu.exe
cmdline	C:\Users\test22\Documents\b7yW1NrA5IBLFeBQu7CVzhdU.exe
cmdline	C:\Users\test22\Documents\gNo8wbli72iNi7JkjALPbrdU.exe
cmdline	C:\Users\test22\Documents\RjISP1R5lWHRmIvgLTTiZeru.exe
cmdline	C:\Users\test22\Documents\xHhT8LtGiQEq5rchfNFVYvrU.exe
cmdline	C:\Users\test22\Documents\0P5EQKhgNxZmpo8DY0iAAudU.exe
cmdline	C:\Users\test22\Documents\BlWzplcAHgHEf9QzA7LEbmDu.exe
cmdline	C:\Users\test22\Documents\LRcyQLyrXVEUoJKTkrxNZAdU.exe
cmdline	C:\Users\test22\Documents\AOgIMMKBsS3rbLClDgGOY8rU.exe
cmdline	C:\Users\test22\Documents\2Kk4ib4ROzELI4IFEyKsCGru.exe
cmdline	C:\Users\test22\Documents\AI7NM2YKNFq5MXOwB1bN8TrU.exe
cmdline	C:\Users\test22\Documents\EESVDx8R8MMjd5QU8tZoMmDU.exe

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ March 23, 2021, 10:29 a.m.	tid: 6696 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Generates some ICMP traffic

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.e038387f7b4b7880
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
AegisLab	Trojan.MSIL.Stealer.l!c
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Generic.395b5dc9
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34628.am0@a8m3ncb
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Avast	FileRepMalware
Sophos	ML/PE-A
eGambit	Unsafe.AI_Score_64%
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Ilgergop.0K2YXQ
Malwarebytes	Trojan.Downloader
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CLF
Rising	Trojan.IPLogger!1.B69D (CLOUD)
SentinelOne	Static AI - Malicious PE
AVG	FileRepMalware
Cybereason	malicious.705fe0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.144.30.78:80

Stops Windows services (6 events)

service	2qE006Ezq66MZYp (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\2qE006Ezq66MZYp\Start)
service	5yh6F26Z (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\5yh6F26Z\Start)
service	2nx7w05wXt6P (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\2nx7w05wXt6P\Start)
service	4HZ0aIMX032q0 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\4HZ0aIMX032q0\Start)
service	p7045idDVhxw (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p7045idDVhxw\Start)
service	bGIDRb2JifD6dU (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bGIDRb2JifD6dU\Start)

DIqMUyT98Untp5QhexOCjQdS.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All