Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 22, 2021, 10:05 p.m.	Sept. 22, 2021, 10:20 p.m.

Size	1.1MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`5c03d52d98f6c01ea66e09f5993aebc2`
SHA256	`f25767973c3254dae77891e4c519f33258f7045c101cd9c732a7edd53216f957`
CRC32	`B9F2F377`
ssdeep	`24576:tP2qZ3bYMR1dKuIv/XaFwCVJAcFfPLfHF2sVXfIc5J+fFLPCdM6XbUR2JC8:tP20fKRXXQFfTfk8XgVr2XboA`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

5.exe "C:\Users\test22\AppData\Local\Temp\5.exe"
1080
- buildcpils.exe "C:\Users\test22\AppData\Local\Temp\buildcpils.exe"
  2212
  - WinRAR.exe "C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"
    2256
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f
      1472

Name	Response	Post-Analysis Lookup
sherence.ru	A 172.67.176.114 A 104.21.48.37	172.67.176.114
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
172.67.176.114	Active	Moloch
172.67.75.172	Active	Moloch
194.15.46.144	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49202 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.176.114:80 -> 192.168.56.101:49224	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 172.67.176.114:80 -> 192.168.56.101:49224	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 149.154.167.220:443 -> 192.168.56.101:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49228 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49202 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9

Queries for the computername (22 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2021, 10:05 p.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 10:05 p.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:58 p.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:58 p.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:59 p.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:59 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 22, 2021, 9:59 p.m.	buffer: SUCCESS: The scheduled task "Skrinshoter ver6.65" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008abe98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008abe98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008abfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07109118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07109118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07109018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07109398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07109458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 10:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07109458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2021, 10:05 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (41 events)

Time & API	Arguments	Status
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a921c @ 0x40921c 5+0x1a4718 @ 0x404718 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8257028 registers.edi: 5161200 registers.eax: 0 registers.ebp: 8257056 registers.edx: 0 registers.ebx: 423312209 registers.esi: 2637824 registers.ecx: 36452328	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a921c @ 0x40921c 5+0x1a4718 @ 0x404718 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8257028 registers.edi: 8257028 registers.eax: 0 registers.ebp: 8257056 registers.edx: 2 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8257064	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a921c @ 0x40921c 5+0x1a4718 @ 0x404718 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8257028 registers.edi: 8257028 registers.eax: 0 registers.ebp: 8257056 registers.edx: 0 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8257064	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1630 @ 0x401630 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 3953136 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 4293410816 registers.esi: 2637824 registers.ecx: 2637824	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1630 @ 0x401630 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1630 @ 0x401630 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a18d5 @ 0x4018d5 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 3953136 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 4293410816 registers.esi: 2637824 registers.ecx: 0	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a18d5 @ 0x4018d5 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a18d5 @ 0x4018d5 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a18d5 @ 0x4018d5 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a18fa @ 0x4018fa 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: cc 68 e4 cb 5f 22 e9 90 95 ff ff 06 0d 62 37 82 exception.symbol: 5+0x197ea5 exception.instruction: int3 exception.module: 5.exe exception.exception_code: 0x80000003 exception.offset: 1670821 exception.address: 0x3f7ea5 registers.esp: 8256956 registers.edi: 3951181 registers.eax: 2324 registers.ebp: 8256984 registers.edx: 8256992 registers.ebx: 4293410816 registers.esi: 2639431 registers.ecx: 0	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: exception.instruction_r: cc 68 33 82 5f 22 e9 aa 05 ff ff ea 4c 4a df af exception.symbol: 5+0x1a0e8b exception.instruction: int3 exception.module: 5.exe exception.exception_code: 0x80000003 exception.offset: 1707659 exception.address: 0x400e8b registers.esp: 8256956 registers.edi: 3953136 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 8256768 registers.ebx: 4293410816 registers.esi: 2637824 registers.ecx: 4027842560	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 3953136 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 4293410816 registers.esi: 2637824 registers.ecx: 8256984	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1a68 @ 0x401a68 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1c31 @ 0x401c31 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 3953136 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 4293410816 registers.esi: 2637824 registers.ecx: 0	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1c31 @ 0x401c31 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1c31 @ 0x401c31 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1c31 @ 0x401c31 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1c31 @ 0x401c31 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1c31 @ 0x401c31 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf2d5 exception.instruction: div eax exception.module: 5.exe exception.exception_code: 0xc0000094 exception.offset: 914133 exception.address: 0x33f2d5 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 0 registers.ebx: 3404523 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1d4d @ 0x401d4d 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 3953136 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 4293410816 registers.esi: 2637824 registers.ecx: 505938944	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 5+0x1a1d4d @ 0x401d4d 5+0x1a4727 @ 0x404727 5+0x28b21b @ 0x4eb21b exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 5+0xdf300 exception.instruction: ud2 exception.module: 5.exe exception.exception_code: 0xc000001d exception.offset: 914176 exception.address: 0x33f300 registers.esp: 8256956 registers.edi: 8256956 registers.eax: 0 registers.ebp: 8256984 registers.edx: 2 registers.ebx: 3404566 registers.esi: 0 registers.ecx: 8256992	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e85a5a 0x2e859d5 0x2e81995 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e85ae9 registers.esp: 8253928 registers.edi: 54171784 registers.eax: 0 registers.ebp: 8253952 registers.edx: 8807808 registers.ebx: 52308128 registers.esi: 54171964 registers.ecx: 0	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e86c17 0x2e86b59 0x2e86275 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253656 registers.edi: 54506438 registers.eax: 0 registers.ebp: 8253708 registers.edx: 115694596 registers.ebx: 54506288 registers.esi: 54506508 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e86c17 0x2e86b59 0x2e86275 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253656 registers.edi: 55472202 registers.eax: 0 registers.ebp: 8253708 registers.edx: 115694596 registers.ebx: 55472052 registers.esi: 55472272 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e86c17 0x2e86b59 0x2e86275 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253656 registers.edi: 56424990 registers.eax: 0 registers.ebp: 8253708 registers.edx: 115694596 registers.ebx: 56424840 registers.esi: 56425060 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e88a76 0x2e889c9 0x2e862ea 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253648 registers.edi: 53870094 registers.eax: 0 registers.ebp: 8253700 registers.edx: 115694596 registers.ebx: 53869944 registers.esi: 53870164 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e88a76 0x2e889c9 0x2e862ea 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253648 registers.edi: 54833590 registers.eax: 0 registers.ebp: 8253700 registers.edx: 115694596 registers.ebx: 54833440 registers.esi: 54833660 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e88a76 0x2e889c9 0x2e862ea 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253648 registers.edi: 53881770 registers.eax: 0 registers.ebp: 8253700 registers.edx: 115694596 registers.ebx: 53881620 registers.esi: 53881840 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e88fd7 0x2e88f29 0x2e8635f 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253652 registers.edi: 54860518 registers.eax: 0 registers.ebp: 8253704 registers.edx: 115694596 registers.ebx: 54860368 registers.esi: 54860588 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e88fd7 0x2e88f29 0x2e8635f 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253652 registers.edi: 55876702 registers.eax: 0 registers.ebp: 8253704 registers.edx: 115694596 registers.ebx: 55876552 registers.esi: 55876772 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e88fd7 0x2e88f29 0x2e8635f 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253652 registers.edi: 56892886 registers.eax: 0 registers.ebp: 8253704 registers.edx: 115694596 registers.ebx: 56892736 registers.esi: 56892956 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e89419 0x2e89369 0x2e863d0 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253648 registers.edi: 57909250 registers.eax: 0 registers.ebp: 8253700 registers.edx: 115694596 registers.ebx: 57909100 registers.esi: 57909320 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e89419 0x2e89369 0x2e863d0 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253648 registers.edi: 53928474 registers.eax: 0 registers.ebp: 8253700 registers.edx: 115694596 registers.ebx: 53928324 registers.esi: 53928544 registers.ecx: 115695120	1
__exception__ Sept. 22, 2021, 10:05 p.m.	stacktrace: 0x2e89419 0x2e89369 0x2e863d0 0x2e85cf2 0x2e85c69 0x2e819ff 0x2e816f0 0x2e80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72642652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7265264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72652e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72707610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72791dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72791e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72791f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7279416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743b4de3 0x7dfdc0 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2e870d8 registers.esp: 8253648 registers.edi: 54946778 registers.eax: 0 registers.ebp: 8253700 registers.edx: 115694596 registers.ebx: 54946628 registers.esi: 54946848 registers.ecx: 115695120	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://sherence.ru/buildcpils.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET https://api.ip.sb/geoip

Performs some HTTP requests (2 events)

request	GET http://sherence.ru/buildcpils.exe
request	GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 194 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02294000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72642000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0257c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0256a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0257a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0256c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Sept. 22, 2021, 9:58 p.m.	total_number_of_free_bytes: 13725347840 free_bytes_available: 13725347840 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Sept. 22, 2021, 9:59 p.m.	total_number_of_free_bytes: 12952584192 free_bytes_available: 12952584192 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Sept. 22, 2021, 9:59 p.m.	total_number_of_free_bytes: 12952518656 free_bytes_available: 12952518656 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Sept. 22, 2021, 9:59 p.m.	total_number_of_free_bytes: 12952178688 free_bytes_available: 12952178688 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\buildcpils.exe
file	C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe

Creates a suspicious process (2 events)

cmdline	schtasks.exe /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\buildcpils.exe
file	C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 22, 2021, 9:59 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f filepath: schtasks.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 22, 2021, 10:05 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process 5.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Sept. 22, 2021, 10:05 p.m.	buffer: HTTP/1.1 200 OK Date: Wed, 22 Sep 2021 13:19:06 GMT Content-Type: application/x-msdos-program Content-Length: 44032 Connection: keep-alive last-modified: Tue, 21 Sep 2021 19:47:46 GMT etag: "ac00-5cc86abf3ae59" Cache-Control: max-age=14400 CF-Cache-Status: MISS Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PWcq3YYyJsJJIhgibwEDRR2QkLi6C%2BcRnieCMeyfL8kvGLiIWtW2ek%2B2KUWCKlJr1oPKGR5KnQy9gqVsTq7s%2FhtSLPZBNloiBvxDZT5csb3Ee6gwzOvqJJfslkf7YA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 692bd2ab9b630a4e-KIX alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd»¥Èð"0¤ @ @@@ àÊ H.textÈ¢ ¤ `.rsrcÊà¦@@H@@Ð?¸(2 þ®(3 þs4 (5 t8(6 ð(7 *z,{,{o (W .s(F{(M(C .s(.~(C ("^(° (:s o >s co 0Çþ ( þ~ þþ9þ9þs þþ s þþs þþo þÝþ9 þo ÜÝþ9 þo ÜÝþ9 þo ÜþþÝ&þÝþ4UgH76a··'0T( ~ rp(o o +"o rÄp(o u"&Xi2ØÞ&ÞJP0¡~ rp(s o o +2o t- r¹p(o o! rp((" o# -ÆÞ ,o ÜÞ ,o Ü($ ,rMp(+Þ&rp(Þ(">` Vl 0s% rÙp(s& s' ( jo +$o t-rp(o (( Xo# -ÔÞ ,o Ü j[ j[() Þ&rp(Þ)0Y ~~0jrÖp(s (+ ~ o + o t-rap(o t" o# -ØÞ ,o ÜÞ&rp(Þ* ,L ZZ0Çr»p(s ( o 8o t-"%rVp(o t"o, ¢%r p(¢%râp(o t"¢%r p(¢%r,p(o t"¢(- Þ%&Þo# :qÿÿÿÞ ,o Ürp(*+u ° 0jrøp(s (+ ~ o + o t-rjp(o t" o# -ØÞ ,o ÜÞ&rp(Þ* ,L ZZ0jr¬p(s* (+ ~ received: 2920 socket: 600	1	2920	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0000b800', u'virtual_address': u'0x00002000', u'entropy': 7.988841172766424, u'name': u'', u'virtual_size': u'0x0001c000'}

entropy

7.98884117277

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002bc00', u'virtual_address': u'0x00024000', u'entropy': 7.995292421856776, u'name': u'', u'virtual_size': u'0x00280000'}

entropy

7.99529242186

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000e3800', u'virtual_address': u'0x002a4000', u'entropy': 7.987465210646282, u'name': u'.data', u'virtual_size': u'0x000e4000'}

entropy

7.98746521065

description

A section with a high entropy has been found

entropy

0.997354497354

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 22, 2021, 10:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 22, 2021, 9:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000025c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: AddressBook base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: Connection Manager base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: DirectDrawEx base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: EditPlus base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: ENTERPRISE base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: Fontcore base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: Google Chrome base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: IE40 base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: IE4Data base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: IE5BAKEX base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: IEData base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: MobileOptionPack base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: SchedulingAgent base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: WIC base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Sept. 22, 2021, 10:05 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x0000025c key_handle: 0x00000258 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

194.15.46.144

Attempts to identify installed AV products by registry key (1 event)

registry

HKEY_CURRENT_USER\SOFTWARE\AVIRA

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWDEBUG
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (1 event)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 22, 2021, 10:05 p.m.	class_name: OLLYDBG window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 22, 2021, 10:05 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks.exe /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver6.65" /tr "'C:\Users\test22\AppData\Roaming\WinRAR ver5.56\WinRAR.exe"'/f

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Sept. 22, 2021, 10:05 p.m.	key_handle: 0x00000258 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (50 out of 66 events)

Time & API	Arguments	Status	Return
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:58 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000794bc0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000653230 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00000000006af660 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x000000001ccaf3a0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x000000001ccaf3a0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x000000001ccaf3a0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x000000001ccaf3a0 flags: 0	1	1
CryptHashData Sept. 22, 2021, 9:59 p.m.	buffer: 127631360test221Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x000000001ccaf3a0 flags: 0	1	1

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Graftor.980966
FireEye	Generic.mg.5c03d52d98f6c01e
ALYac	Gen:Variant.Graftor.980966
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.48a1c8
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.EnigmaProtector.J suspicious
APEX	Malicious
ClamAV	Win.Malware.Zusy-9837401-0
BitDefender	Gen:Variant.Graftor.980966
Ad-Aware	Gen:Variant.Graftor.980966
Emsisoft	Gen:Variant.Graftor.980966 (B)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Sophos	Generic ML PUA (PUA)
Ikarus	PUA.EnigmaProtector
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1128095
MAX	malware (ai score=81)
Microsoft	Trojan:MSIL/RedLineStealer.MK!MTB
GData	Gen:Variant.Graftor.980966
Cynet	Malicious (score: 100)
Acronis	suspicious
VBA32	Trojan.Zpevdo
Zoner	Probably Heur.ExeHeaderH
TrendMicro-HouseCall	TROJ_GEN.R06CH09IH21
Rising	PUF.Pack-Enigma!1.BA33 (CLASSIC)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_98%
Fortinet	W32/CoinMiner.AK!tr
BitDefenderTheta	Gen:NN.ZexaF.34142.hz1@amFguw
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_70% (D)
MaxSecure	Trojan.Malware.300983.susgen

5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All