Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 17, 2021, 9:31 a.m.	Aug. 17, 2021, 9:37 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2cae1b3be4c37e8f0ca5dac99dbbac17`
SHA256	`7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f`
CRC32	`DEC516BD`
ssdeep	`24576:kiKH63AanJL5WRxc493rVedPdiHxO0KQJ2dJd0+Tf7Lsg77R:vZA0L5WRq493heB2ydJ/LsS7R`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

zxcvb.exe "C:\Users\test22\AppData\Local\Temp\zxcvb.exe"
2444
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Skcczlqwcscgqo.vbs"
  2932
  - Qhbcytidvconsoleapp6aa.exe "C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe"
    2412
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Evpctmxstsshc.vbs"
      2220
      - Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe "C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe"
        412
        
        Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
        2480
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 2480 & erase C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe & RD /S /Q C:\\ProgramData\\330118707341584\\* & exit
        844
        
        taskkill.exe taskkill /pid 2480
        812
    - Qhbcytidvconsoleapp6aa.exe C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
      1460
- zxcvb.exe C:\Users\test22\AppData\Local\Temp\zxcvb.exe
  2532
  - cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe"
    1772
    - timeout.exe timeout /T 10 /NOBREAK
      2196
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
myproskxa.ac.ug	A 185.215.113.77	185.215.113.77
kullasa.ac.ug	A 185.215.113.77	185.215.113.77
telete.in	A 195.201.225.248	195.201.225.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.163.45.248	Active	Moloch
185.215.113.77	Active	Moloch
195.201.225.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49205 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.163.45.248:80 -> 192.168.56.101:49206	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.163.45.248:80 -> 192.168.56.101:49206	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.163.45.248:80 -> 192.168.56.101:49206	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49217	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 185.215.113.77:80 -> 192.168.56.101:49283	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49283 -> 185.215.113.77:80	2027108	ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.77:80	2029236	ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil	Malware Command and Control Activity Detected
TCP 192.168.56.101:49283 -> 185.215.113.77:80	2029846	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49205 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	1d:7b:94:0d:d6:f9:85:f3:66:74:d5:1d:98:0c:7a:28:5b:c0:62:44

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2021, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2021, 9:37 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2021, 9:31 a.m.			0	0
IsDebuggerPresent Aug. 17, 2021, 9:31 a.m.			0	0
IsDebuggerPresent Aug. 17, 2021, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 17, 2021, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 17, 2021, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 17, 2021, 9:36 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 17, 2021, 9:37 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1	0
WriteConsoleW Aug. 17, 2021, 9:37 a.m.	buffer: ERROR: The process "2480" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2021, 9:31 a.m.		1	1	0

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Aug. 17, 2021, 9:31 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x48d55dd 0x48d5552 0x48d2dcb 0x48d25e3 0x48d0910 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x1fe3d17 0x1fe1492 0x1fe1365 system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0x1fe0e78 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x54a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x1fe007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1762428 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 1762632 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:31 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x48d55dd 0x48d5552 0x48d2dcb 0x48d25e3 0x48d0910 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x1fe3d17 0x1fe1492 0x1fe1365 system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0x1fe0e78 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x54a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x1fe007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1762428 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 1762632 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:31 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x48d55dd 0x48d5552 0x48d2dcb 0x48d25e3 0x48d0910 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x1fe3d17 0x1fe1492 0x1fe1365 system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0x1fe0e78 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x54a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x1fe007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1762428 registers.edi: 1990713288 registers.eax: 10551296 registers.ebp: 1762632 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:31 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x48d55dd 0x48d5552 0x48d2dcb 0x48d25e3 0x48d0910 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x1fe3d17 0x1fe1492 0x1fe1365 system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0x1fe0e78 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x54a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x1fe007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1762428 registers.edi: 1990713288 registers.eax: 10223616 registers.ebp: 1762632 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:36 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x727f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x726c2ba1 mscorlib+0x2f0ddf @ 0x6ef70ddf mscorlib+0x2ebefa @ 0x6ef6befa mscorlib+0x2ebe3d @ 0x6ef6be3d mscorlib+0x2c9783 @ 0x6ef49783 mscorlib+0xa92583 @ 0x6f712583 0x57119e mscorlib+0x2d5861 @ 0x6ef55861 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7273a867 DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7273a93f PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x727c836a PreBindAssemblyEx+0x10899 StrongNameSignatureVerification-0x16b2 clr+0x188404 @ 0x727c8404 CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x72695b0f GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x726c932e mscorlib+0x2d5eb7 @ 0x6ef55eb7 mscorlib+0x2d5c33 @ 0x6ef55c33 mscorlib+0x2d7894 @ 0x6ef57894 mscorlib+0x2d74ff @ 0x6ef574ff mscorlib+0x2d71c3 @ 0x6ef571c3 mscorlib+0x2d48ea @ 0x6ef548ea mscorlib+0x36990b @ 0x6efe990b 0x573aaf 0x5713da 0x571325 system+0x19c522 @ 0x6d07c522 system+0x19e920 @ 0x6d07e920 system+0x19e803 @ 0x6d07e803 0x570e78 system+0x1f9799 @ 0x6d0d9799 system+0x1f92c8 @ 0x6d0d92c8 system+0x1eca74 @ 0x6d0cca74 system+0x1ec868 @ 0x6d0cc868 system+0x1f82b8 @ 0x6d0d82b8 system+0x1ee54d @ 0x6d0ce54d system+0x1f70ea @ 0x6d0d70ea system+0x1e56c0 @ 0x6d0c56c0 system+0x1f8215 @ 0x6d0d8215 system+0x1f6f75 @ 0x6d0d6f75 system+0x1ee251 @ 0x6d0ce251 system+0x1ee229 @ 0x6d0ce229 system+0x1ee170 @ 0x6d0ce170 0x33a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6d0cbc85 system+0x1f683b @ 0x6d0d683b system+0x1a5e44 @ 0x6d085e44 system+0x1fd8a0 @ 0x6d0dd8a0 system+0x1fd792 @ 0x6d0dd792 system+0x1a14bd @ 0x6d0814bd 0x57007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4508920 registers.edi: 0 registers.eax: 4508920 registers.ebp: 4509000 registers.edx: 0 registers.ebx: 8400776 registers.esi: 7957208 registers.ecx: 3199852441	1
__exception__ Aug. 17, 2021, 9:36 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6630b8d 0x6630b02 0x667ee3d 0x667e1c3 0x1134280 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x726c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x726c1737 mscorlib+0x2d36ad @ 0x6ef536ad mscorlib+0x308f2d @ 0x6ef88f2d mscorlib+0x3135ed @ 0x6ef935ed 0x573cf7 0x571452 0x571325 system+0x19c522 @ 0x6d07c522 system+0x19e920 @ 0x6d07e920 system+0x19e803 @ 0x6d07e803 0x570e78 system+0x1f9799 @ 0x6d0d9799 system+0x1f92c8 @ 0x6d0d92c8 system+0x1eca74 @ 0x6d0cca74 system+0x1ec868 @ 0x6d0cc868 system+0x1f82b8 @ 0x6d0d82b8 system+0x1ee54d @ 0x6d0ce54d system+0x1f70ea @ 0x6d0d70ea system+0x1e56c0 @ 0x6d0c56c0 system+0x1f8215 @ 0x6d0d8215 system+0x1f6f75 @ 0x6d0d6f75 system+0x1ee251 @ 0x6d0ce251 system+0x1ee229 @ 0x6d0ce229 system+0x1ee170 @ 0x6d0ce170 0x33a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6d0cbc85 system+0x1f683b @ 0x6d0d683b system+0x1a5e44 @ 0x6d085e44 system+0x1fd8a0 @ 0x6d0dd8a0 system+0x1fd792 @ 0x6d0dd792 system+0x1a14bd @ 0x6d0814bd 0x57007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d67f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d64de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4514088 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 4514292 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:36 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6630b8d 0x6630b02 0x667ee3d 0x667e1c3 0x1134280 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x726c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x726c1737 mscorlib+0x2d36ad @ 0x6ef536ad mscorlib+0x308f2d @ 0x6ef88f2d mscorlib+0x3135ed @ 0x6ef935ed 0x573cf7 0x571452 0x571325 system+0x19c522 @ 0x6d07c522 system+0x19e920 @ 0x6d07e920 system+0x19e803 @ 0x6d07e803 0x570e78 system+0x1f9799 @ 0x6d0d9799 system+0x1f92c8 @ 0x6d0d92c8 system+0x1eca74 @ 0x6d0cca74 system+0x1ec868 @ 0x6d0cc868 system+0x1f82b8 @ 0x6d0d82b8 system+0x1ee54d @ 0x6d0ce54d system+0x1f70ea @ 0x6d0d70ea system+0x1e56c0 @ 0x6d0c56c0 system+0x1f8215 @ 0x6d0d8215 system+0x1f6f75 @ 0x6d0d6f75 system+0x1ee251 @ 0x6d0ce251 system+0x1ee229 @ 0x6d0ce229 system+0x1ee170 @ 0x6d0ce170 0x33a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6d0cbc85 system+0x1f683b @ 0x6d0d683b system+0x1a5e44 @ 0x6d085e44 system+0x1fd8a0 @ 0x6d0dd8a0 system+0x1fd792 @ 0x6d0dd792 system+0x1a14bd @ 0x6d0814bd 0x57007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d67f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d64de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4514088 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 4514292 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:36 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6630b8d 0x6630b02 0x667ee3d 0x667e1c3 0x1134280 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x726c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x726c1737 mscorlib+0x2d36ad @ 0x6ef536ad mscorlib+0x308f2d @ 0x6ef88f2d mscorlib+0x3135ed @ 0x6ef935ed 0x573cf7 0x571452 0x571325 system+0x19c522 @ 0x6d07c522 system+0x19e920 @ 0x6d07e920 system+0x19e803 @ 0x6d07e803 0x570e78 system+0x1f9799 @ 0x6d0d9799 system+0x1f92c8 @ 0x6d0d92c8 system+0x1eca74 @ 0x6d0cca74 system+0x1ec868 @ 0x6d0cc868 system+0x1f82b8 @ 0x6d0d82b8 system+0x1ee54d @ 0x6d0ce54d system+0x1f70ea @ 0x6d0d70ea system+0x1e56c0 @ 0x6d0c56c0 system+0x1f8215 @ 0x6d0d8215 system+0x1f6f75 @ 0x6d0d6f75 system+0x1ee251 @ 0x6d0ce251 system+0x1ee229 @ 0x6d0ce229 system+0x1ee170 @ 0x6d0ce170 0x33a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6d0cbc85 system+0x1f683b @ 0x6d0d683b system+0x1a5e44 @ 0x6d085e44 system+0x1fd8a0 @ 0x6d0dd8a0 system+0x1fd792 @ 0x6d0dd792 system+0x1a14bd @ 0x6d0814bd 0x57007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d67f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d64de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4514088 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 4514292 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:36 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6630b8d 0x6630b02 0x667ee3d 0x667e1c3 0x1134280 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x726c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x726c1737 mscorlib+0x2d36ad @ 0x6ef536ad mscorlib+0x308f2d @ 0x6ef88f2d mscorlib+0x3135ed @ 0x6ef935ed 0x573cf7 0x571452 0x571325 system+0x19c522 @ 0x6d07c522 system+0x19e920 @ 0x6d07e920 system+0x19e803 @ 0x6d07e803 0x570e78 system+0x1f9799 @ 0x6d0d9799 system+0x1f92c8 @ 0x6d0d92c8 system+0x1eca74 @ 0x6d0cca74 system+0x1ec868 @ 0x6d0cc868 system+0x1f82b8 @ 0x6d0d82b8 system+0x1ee54d @ 0x6d0ce54d system+0x1f70ea @ 0x6d0d70ea system+0x1e56c0 @ 0x6d0c56c0 system+0x1f8215 @ 0x6d0d8215 system+0x1f6f75 @ 0x6d0d6f75 system+0x1ee251 @ 0x6d0ce251 system+0x1ee229 @ 0x6d0ce229 system+0x1ee170 @ 0x6d0ce170 0x33a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6d0cbc85 system+0x1f683b @ 0x6d0d683b system+0x1a5e44 @ 0x6d085e44 system+0x1fd8a0 @ 0x6d0dd8a0 system+0x1fd792 @ 0x6d0dd792 system+0x1a14bd @ 0x6d0814bd 0x57007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d67f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d64de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4514088 registers.edi: 1990713288 registers.eax: 18153472 registers.ebp: 4514292 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:36 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6630b8d 0x6630b02 0x667ee3d 0x667e1c3 0x1134280 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x726c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x726c1737 mscorlib+0x2d36ad @ 0x6ef536ad mscorlib+0x308f2d @ 0x6ef88f2d mscorlib+0x3135ed @ 0x6ef935ed 0x573cf7 0x571452 0x571325 system+0x19c522 @ 0x6d07c522 system+0x19e920 @ 0x6d07e920 system+0x19e803 @ 0x6d07e803 0x570e78 system+0x1f9799 @ 0x6d0d9799 system+0x1f92c8 @ 0x6d0d92c8 system+0x1eca74 @ 0x6d0cca74 system+0x1ec868 @ 0x6d0cc868 system+0x1f82b8 @ 0x6d0d82b8 system+0x1ee54d @ 0x6d0ce54d system+0x1f70ea @ 0x6d0d70ea system+0x1e56c0 @ 0x6d0c56c0 system+0x1f8215 @ 0x6d0d8215 system+0x1f6f75 @ 0x6d0d6f75 system+0x1ee251 @ 0x6d0ce251 system+0x1ee229 @ 0x6d0ce229 system+0x1ee170 @ 0x6d0ce170 0x33a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6d0cbc85 system+0x1f683b @ 0x6d0d683b system+0x1a5e44 @ 0x6d085e44 system+0x1fd8a0 @ 0x6d0dd8a0 system+0x1fd792 @ 0x6d0dd792 system+0x1a14bd @ 0x6d0814bd 0x57007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d67f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d64de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4514088 registers.edi: 1990713288 registers.eax: 10616832 registers.ebp: 4514292 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:37 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x219422d 0x21941a2 0x2191b64 0x2191153 0x5eaf7b8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722d264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72341838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72341737 mscorlib+0x2d36ad @ 0x6b8a36ad mscorlib+0x308f2d @ 0x6b8d8f2d mscorlib+0x3135ed @ 0x6b8e35ed 0x753d0f 0x751452 0x751325 system+0x19c522 @ 0x6ab4c522 system+0x19e920 @ 0x6ab4e920 system+0x19e803 @ 0x6ab4e803 0x750e78 system+0x1f9799 @ 0x6aba9799 system+0x1f92c8 @ 0x6aba92c8 system+0x1eca74 @ 0x6ab9ca74 system+0x1ec868 @ 0x6ab9c868 system+0x1f82b8 @ 0x6aba82b8 system+0x1ee54d @ 0x6ab9e54d system+0x1f70ea @ 0x6aba70ea system+0x1e56c0 @ 0x6ab956c0 system+0x1f8215 @ 0x6aba8215 system+0x1f6f75 @ 0x6aba6f75 system+0x1ee251 @ 0x6ab9e251 system+0x1ee229 @ 0x6ab9e229 system+0x1ee170 @ 0x6ab9e170 0x42a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6ab9bc85 system+0x1f683b @ 0x6aba683b system+0x1a5e44 @ 0x6ab55e44 system+0x1fd8a0 @ 0x6abad8a0 system+0x1fd792 @ 0x6abad792 system+0x1a14bd @ 0x6ab514bd 0x75007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x722d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72387610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72411dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72411e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72411f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7241416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72a47f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72a44de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1697392 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 1697596 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:37 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x219422d 0x21941a2 0x2191b64 0x2191153 0x5eaf7b8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722d264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72341838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72341737 mscorlib+0x2d36ad @ 0x6b8a36ad mscorlib+0x308f2d @ 0x6b8d8f2d mscorlib+0x3135ed @ 0x6b8e35ed 0x753d0f 0x751452 0x751325 system+0x19c522 @ 0x6ab4c522 system+0x19e920 @ 0x6ab4e920 system+0x19e803 @ 0x6ab4e803 0x750e78 system+0x1f9799 @ 0x6aba9799 system+0x1f92c8 @ 0x6aba92c8 system+0x1eca74 @ 0x6ab9ca74 system+0x1ec868 @ 0x6ab9c868 system+0x1f82b8 @ 0x6aba82b8 system+0x1ee54d @ 0x6ab9e54d system+0x1f70ea @ 0x6aba70ea system+0x1e56c0 @ 0x6ab956c0 system+0x1f8215 @ 0x6aba8215 system+0x1f6f75 @ 0x6aba6f75 system+0x1ee251 @ 0x6ab9e251 system+0x1ee229 @ 0x6ab9e229 system+0x1ee170 @ 0x6ab9e170 0x42a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6ab9bc85 system+0x1f683b @ 0x6aba683b system+0x1a5e44 @ 0x6ab55e44 system+0x1fd8a0 @ 0x6abad8a0 system+0x1fd792 @ 0x6abad792 system+0x1a14bd @ 0x6ab514bd 0x75007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x722d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72387610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72411dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72411e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72411f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7241416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72a47f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72a44de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1697392 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 1697596 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 17, 2021, 9:37 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x219422d 0x21941a2 0x2191b64 0x2191153 0x5eaf7b8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722d264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72341838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72341737 mscorlib+0x2d36ad @ 0x6b8a36ad mscorlib+0x308f2d @ 0x6b8d8f2d mscorlib+0x3135ed @ 0x6b8e35ed 0x753d0f 0x751452 0x751325 system+0x19c522 @ 0x6ab4c522 system+0x19e920 @ 0x6ab4e920 system+0x19e803 @ 0x6ab4e803 0x750e78 system+0x1f9799 @ 0x6aba9799 system+0x1f92c8 @ 0x6aba92c8 system+0x1eca74 @ 0x6ab9ca74 system+0x1ec868 @ 0x6ab9c868 system+0x1f82b8 @ 0x6aba82b8 system+0x1ee54d @ 0x6ab9e54d system+0x1f70ea @ 0x6aba70ea system+0x1e56c0 @ 0x6ab956c0 system+0x1f8215 @ 0x6aba8215 system+0x1f6f75 @ 0x6aba6f75 system+0x1ee251 @ 0x6ab9e251 system+0x1ee229 @ 0x6ab9e229 system+0x1ee170 @ 0x6ab9e170 0x42a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6ab9bc85 system+0x1f683b @ 0x6aba683b system+0x1a5e44 @ 0x6ab55e44 system+0x1fd8a0 @ 0x6abad8a0 system+0x1fd792 @ 0x6abad792 system+0x1a14bd @ 0x6ab514bd 0x75007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x722d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72387610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72411dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72411e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72411f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7241416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72a47f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72a44de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1697392 registers.edi: 1990713288 registers.eax: 9699328 registers.ebp: 1697596 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.163.45.248/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/d657180f13db0ff9b8ee6da6bdfe300a7ea52ed9
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/cd7c869b70884aeb0988dc2ac3b497411564fd4d
suspicious_features	POST method with no referer header	suspicious_request	POST http://myproskxa.ac.ug/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/softokn3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/sqlite3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/freebl3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/mozglue.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/msvcp140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/nss3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/vcruntime140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/main.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://kullasa.ac.ug/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://telete.in/brikitiki

Performs some HTTP requests (14 events)

request	POST http://185.163.45.248/
request	GET http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/d657180f13db0ff9b8ee6da6bdfe300a7ea52ed9
request	GET http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/cd7c869b70884aeb0988dc2ac3b497411564fd4d
request	POST http://myproskxa.ac.ug/index.php
request	POST http://kullasa.ac.ug/softokn3.dll
request	POST http://kullasa.ac.ug/sqlite3.dll
request	POST http://kullasa.ac.ug/freebl3.dll
request	POST http://kullasa.ac.ug/mozglue.dll
request	POST http://kullasa.ac.ug/msvcp140.dll
request	POST http://kullasa.ac.ug/nss3.dll
request	POST http://kullasa.ac.ug/vcruntime140.dll
request	POST http://kullasa.ac.ug/main.php
request	POST http://kullasa.ac.ug/
request	GET https://telete.in/brikitiki

Sends data using the HTTP POST Method (11 events)

request	POST http://185.163.45.248/
request	POST http://myproskxa.ac.ug/index.php
request	POST http://kullasa.ac.ug/softokn3.dll
request	POST http://kullasa.ac.ug/sqlite3.dll
request	POST http://kullasa.ac.ug/freebl3.dll
request	POST http://kullasa.ac.ug/mozglue.dll
request	POST http://kullasa.ac.ug/msvcp140.dll
request	POST http://kullasa.ac.ug/nss3.dll
request	POST http://kullasa.ac.ug/vcruntime140.dll
request	POST http://kullasa.ac.ug/main.php
request	POST http://kullasa.ac.ug/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 141 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72142000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0971f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2021, 9:36 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72142000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2021, 9:36 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72042000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:36 a.m.	process_identifier: 2412 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Aug. 17, 2021, 9:36 a.m.	number_of_free_clusters: 3350790 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceExW Aug. 17, 2021, 9:29 a.m.	total_number_of_free_bytes: 13725487104 free_bytes_available: 13725487104 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (50 out of 1331 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\kn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ms\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ru\messages.json
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ro\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_metadata\verified_contents.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\da\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\zh_TW\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\zh_TW\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\hi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\mr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\uk\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ta
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\th
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\zh\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\pt_PT\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\tr

Creates executable files on the filesystem (50 out of 72 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open1.png.lnk
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\ProgramData\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\ProgramData\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\ProgramData\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\Evpctmxstsshc.vbs
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\ProgramData\softokn3.dll

Creates a shortcut to an executable file (50 out of 128 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Access 2007.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\Automation Examples.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk
file	C:\Users\test22\Links\Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Automation Reference.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Studio.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Publisher 2007.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.lnk

Creates a suspicious process (3 events)

cmdline	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 2480 & erase C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe & RD /S /Q C:\\ProgramData\\330118707341584\\* & exit
cmdline	cmd.exe /c taskkill /pid 2480 & erase C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe & RD /S /Q C:\\ProgramData\\330118707341584\\* & exit

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\Skcczlqwcscgqo.vbs
file	C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
file	C:\Users\test22\AppData\Local\Temp\Evpctmxstsshc.vbs
file	C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe

Drops an executable to the user AppData folder (50 out of 60 events)

file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\zxcvb.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 2480)

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 17, 2021, 9:36 a.m.	thread_identifier: 1824 thread_handle: 0x000006fc process_identifier: 1772 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000700	1	1	0
ShellExecuteExW Aug. 17, 2021, 9:37 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c taskkill /pid 2480 & erase C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe & RD /S /Q C:\\ProgramData\\330118707341584\\* & exit filepath: cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 17, 2021, 9:36 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00122a00', u'virtual_address': u'0x00002000', u'entropy': 7.998666464601445, u'name': u'.text', u'virtual_size': u'0x0012280c'}

entropy

7.9986664646

description

A section with a high entropy has been found

entropy

0.980598903416

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 17, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 17, 2021, 9:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 17, 2021, 9:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 17, 2021, 9:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (35 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 79 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000005fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000005a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW Aug. 17, 2021, 9:36 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA Aug. 17, 2021, 9:37 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	taskkill /pid 2480
cmdline	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 2480 & erase C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe & RD /S /Q C:\\ProgramData\\330118707341584\\* & exit
cmdline	cmd.exe /c taskkill /pid 2480 & erase C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe & RD /S /Q C:\\ProgramData\\330118707341584\\* & exit

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 17e82febc0cb36ba2011810cdb2427dc11677bb3
buffer	Buffer with sha1: affdd81e6a424aca85b4986a343250c501595d57
buffer	Buffer with sha1: cddacd5270efe19f7b55fd8452a60b2adbab35f3

Communicates with host for which no DNS query was performed (1 event)

host

185.163.45.248

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2532 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:36 a.m.	process_identifier: 1460 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory Aug. 17, 2021, 9:37 a.m.	process_identifier: 2480 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	1

Attempts to identify installed AV products by installation directory (14 events)

file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file	C:\ProgramData\Microsoft\Microsoft Antimalware
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Install.log
file	C:\ProgramData\Microsoft\Microsoft Security Client
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\Application.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Uninstall.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (19 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\
file	C:\Users\test22\AppData\Roaming\Electrum\wallets\
file	C:\Users\test22\AppData\Roaming\Litecoin\
file	C:\Users\test22\AppData\Roaming\Namecoin\
file	C:\Users\test22\AppData\Roaming\Terracoin\
file	C:\Users\test22\AppData\Roaming\Primecoin\
file	C:\Users\test22\AppData\Roaming\Freicoin\
file	C:\Users\test22\AppData\Roaming\devcoin\
file	C:\Users\test22\AppData\Roaming\Franko\
file	C:\Users\test22\AppData\Roaming\Megacoin\
file	C:\Users\test22\AppData\Roaming\Infinitecoin\
file	C:\Users\test22\AppData\Roaming\Ixcoin\
file	C:\Users\test22\AppData\Roaming\Anoncoin\
file	C:\Users\test22\AppData\Roaming\BBQCoin\
file	C:\Users\test22\AppData\Roaming\digitalcoin\
file	C:\Users\test22\AppData\Roaming\Mincoin\
file	C:\Users\test22\AppData\Roaming\GoldCoin (GLD)\
file	C:\Users\test22\AppData\Roaming\YACoin\
file	C:\Users\test22\AppData\Roaming\Florincoin\

Attempts to detect Cuckoo Sandbox through the presence of a file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.py
file	C:\Python27\agent.pyw

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\zxcvb.exe

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:36 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 1460 process_handle: 0x00000290	1	1
WriteProcessMemory Aug. 17, 2021, 9:36 a.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAmyproskxa.ac.ug base_address: 0x0041b000 process_identifier: 1460 process_handle: 0x00000290	1	1
WriteProcessMemory Aug. 17, 2021, 9:36 a.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 1460 process_handle: 0x00000290	1	1
WriteProcessMemory Aug. 17, 2021, 9:36 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1460 process_handle: 0x00000290	1	1
WriteProcessMemory Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 2480 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 17, 2021, 9:37 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2480 process_handle: 0x00000280	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:36 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 1460 process_handle: 0x00000290	1	1
WriteProcessMemory Aug. 17, 2021, 9:37 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 2480 process_handle: 0x00000280	1	1

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:36 a.m.	key_handle: 0x000005a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2021, 9:37 a.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.2cae1b3be4c37e8f
McAfee	Artemis!2CAE1B3BE4C3
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (D)
APEX	Malicious
McAfee-GW-Edition	Artemis!Trojan
Sophos	ML/PE-A
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZemsilF.34088.kn0@aeelt!f
Malwarebytes	MachineLearning/Anomalous.97%
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Network activity contains more than one unique useragent (2 events)

process	Qhbcytidvconsoleapp6aa.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process	Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 called NtSetContextThread to modify thread in remote process 2532
Process injection	Process 2412 called NtSetContextThread to modify thread in remote process 1460
Process injection	Process 412 called NtSetContextThread to modify thread in remote process 2480
NtSetContextThread Aug. 17, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4454519 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f0 process_identifier: 2532	1	0	0
NtSetContextThread Aug. 17, 2021, 9:36 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f4 process_identifier: 1460	1	0	0
NtSetContextThread Aug. 17, 2021, 9:37 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000027c process_identifier: 2480	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe"

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 79 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Python27\tcl\tcl8.5\encoding\euc-cn.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-3.enc
file	C:\Python27\tcl\tcl8.5\encoding\ascii.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp857.enc
file	C:\Python27\tcl\tcl8.5\encoding\macIceland.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp864.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1254.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-8.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp860.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp863.enc
file	C:\Python27\tcl\tcl8.5\encoding\ksc5601.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-kr.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1255.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-2.enc
file	C:\Python27\tcl\tcl8.5\encoding\macGreek.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1256.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp949.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp437.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp775.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-14.enc
file	C:\Python27\tcl\tcl8.5\encoding\big5.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp950.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso2022-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp869.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-5.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-9.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp874.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRoman.enc
file	C:\Python27\tcl\tcl8.5\encoding\gb1988.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-15.enc
file	C:\Python27\tcl\tcl8.5\encoding\macDingbats.enc
file	C:\Python27\tcl\tcl8.5\encoding\macThai.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp865.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0201.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCentEuro.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp850.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1257.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1251.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0208.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp866.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCyrillic.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-1.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRomania.enc
file	C:\Python27\tcl\tcl8.5\encoding\ebcdic.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-4.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1250.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp862.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp936.enc

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 121 events)

file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\rQF69AzBla
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\RYwTiizs2t
file	C:\Users\test22\AppData\LocalLow\foxmail.temp
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\x3CF3EDNhm
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\frAQBc8Wsa
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\chrome_urls.txt
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\ie_ftp_data.txt
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\eJ7xG7cQ_5q.zip
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 resumed a thread in remote process 2532
Process injection	Process 2412 resumed a thread in remote process 1460
Process injection	Process 412 resumed a thread in remote process 2480
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2532	1	0	0
NtResumeThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 1460	1	0	0
NtResumeThread Aug. 17, 2021, 9:37 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2480	1	0	0

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Aug. 17, 2021, 9:36 a.m.	net_type: 0x00250000		1222	0

Executed a process and injected code into it, probably while unpacking (50 out of 77 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
CreateProcessInternalW Aug. 17, 2021, 9:31 a.m.	thread_identifier: 2672 thread_handle: 0x000003ec process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Skcczlqwcscgqo.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
CreateProcessInternalW Aug. 17, 2021, 9:31 a.m.	thread_identifier: 2772 thread_handle: 0x000003f0 process_identifier: 2532 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\zxcvb.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtGetContextThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000003f0	1	0
NtAllocateVirtualMemory Aug. 17, 2021, 9:31 a.m.	process_identifier: 2532 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	1	0
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: base_address: 0x00401000 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: base_address: 0x0046c000 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: base_address: 0x00486000 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: base_address: 0x0048c000 process_identifier: 2532 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 17, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x0000028c	1	1
NtSetContextThread Aug. 17, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4454519 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f0 process_identifier: 2532	1	0
NtResumeThread Aug. 17, 2021, 9:31 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2532	1	0
CreateProcessInternalW Aug. 17, 2021, 9:36 a.m.	thread_identifier: 812 thread_handle: 0x0000031c process_identifier: 2412 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
NtResumeThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2532	1	0
CreateProcessInternalW Aug. 17, 2021, 9:36 a.m.	thread_identifier: 1824 thread_handle: 0x000006fc process_identifier: 1772 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000700	1	1
NtResumeThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread Aug. 17, 2021, 9:36 a.m.	registers.eip: 1919691652 registers.esp: 4509128 registers.edi: 0 registers.eax: 1083499056 registers.ebp: 4509132 registers.edx: 18389008 registers.ebx: 0 registers.esi: 28000 registers.ecx: 40128500 thread_handle: 0x000000e8 process_identifier: 2412	1	0
NtResumeThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
CreateProcessInternalW Aug. 17, 2021, 9:36 a.m.	thread_identifier: 3016 thread_handle: 0x000003f0 process_identifier: 2220 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Evpctmxstsshc.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e4	1	1
CreateProcessInternalW Aug. 17, 2021, 9:36 a.m.	thread_identifier: 2552 thread_handle: 0x000003f4 process_identifier: 1460 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000290	1	1
NtGetContextThread Aug. 17, 2021, 9:36 a.m.	thread_handle: 0x000003f4	1	0
NtAllocateVirtualMemory Aug. 17, 2021, 9:36 a.m.	process_identifier: 1460 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Users\test22\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
file	C:\Users\test22\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe

zxcvb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All