Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 28, 2021, 11:05 a.m.	Oct. 28, 2021, 11:17 a.m.

Size	912.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`8c957f8e5cc91f649891254901d6293c`
SHA256	`c420ffaab541b742acd48873edeabb1c6eb77da5d6f681a5b0cde5f8a05ca05f`
CRC32	`D6A87615`
ssdeep	`12288:S9ZYr+ZqaSl92B8pIvJkKPGUiPe+TulJb8HycygMN8W7s1gEPcJkI09y//Ccemta:SX6iqrWkKeUiPekogN2s7fI09y//cmg`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

126808361.exe "C:\Users\test22\AppData\Local\Temp\126808361.exe"
2072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
65.108.14.118	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 28, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 28, 2021, 11:05 a.m.			0	0
IsDebuggerPresent Oct. 28, 2021, 11:05 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a4ba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a4ba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a4c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a5020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a5060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a5060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a55e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a55e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2021, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009a5760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 28, 2021, 11:05 a.m.		1	1	0

One or more processes crashed (15 events)

Time & API	Arguments	Status
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e123da 0x4e12355 0x4e1145c 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1247b registers.esp: 36894644 registers.edi: 42422564 registers.eax: 0 registers.ebp: 36894672 registers.edx: 9997400 registers.ebx: 40705836 registers.esi: 42422704 registers.ecx: 0	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x36dd51 @ 0x6ffadd51 mscorlib+0x32fea6 @ 0x6ff6fea6 mscorlib+0x30ab40 @ 0x6ff4ab40 0x4e17089 0x4e16fd9 0x4e16b63 0x4e165df 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 36894148 registers.edi: 0 registers.eax: 36894148 registers.ebp: 36894228 registers.edx: 0 registers.ebx: 9979632 registers.esi: 9997400 registers.ecx: 157996544	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x316bc8 @ 0x6ff56bc8 mscorlib+0x32fddf @ 0x6ff6fddf mscorlib+0x30ab1e @ 0x6ff4ab1e 0x4e17089 0x4e16fd9 0x4e16b63 0x4e165df 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 36894204 registers.edi: 0 registers.eax: 36894204 registers.ebp: 36894284 registers.edx: 0 registers.ebx: 9979632 registers.esi: 9997400 registers.ecx: 157996488	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e19eb7 0x4e19df9 0x4e19503 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894380 registers.edi: 42739986 registers.eax: 0 registers.ebp: 36894428 registers.edx: 101787320 registers.ebx: 42739836 registers.esi: 42740056 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e19eb7 0x4e19df9 0x4e19503 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894380 registers.edi: 42647542 registers.eax: 0 registers.ebp: 36894428 registers.edx: 101787320 registers.ebx: 42647392 registers.esi: 42647612 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e19eb7 0x4e19df9 0x4e19503 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894380 registers.edi: 43860122 registers.eax: 0 registers.ebp: 36894428 registers.edx: 101787320 registers.ebx: 43859972 registers.esi: 43860192 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1bc06 0x4e1bb59 0x4e19590 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894372 registers.edi: 44899142 registers.eax: 0 registers.ebp: 36894420 registers.edx: 101787320 registers.ebx: 44898992 registers.esi: 44899212 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1bc06 0x4e1bb59 0x4e19590 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894372 registers.edi: 46018706 registers.eax: 0 registers.ebp: 36894420 registers.edx: 101787320 registers.ebx: 46018556 registers.esi: 46018776 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1bc06 0x4e1bb59 0x4e19590 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894372 registers.edi: 42412858 registers.eax: 0 registers.ebp: 36894420 registers.edx: 101787320 registers.ebx: 42412708 registers.esi: 42412928 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1c115 0x4e1c069 0x4e19608 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894376 registers.edi: 43532514 registers.eax: 0 registers.ebp: 36894424 registers.edx: 101787320 registers.ebx: 43532364 registers.esi: 43532584 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1c115 0x4e1c069 0x4e19608 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894376 registers.edi: 44711234 registers.eax: 0 registers.ebp: 36894424 registers.edx: 101787320 registers.ebx: 44711084 registers.esi: 44711304 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1c115 0x4e1c069 0x4e19608 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894376 registers.edi: 45889954 registers.eax: 0 registers.ebp: 36894424 registers.edx: 101787320 registers.ebx: 45889804 registers.esi: 45890024 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1c505 0x4e1c459 0x4e19676 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894376 registers.edi: 42520882 registers.eax: 0 registers.ebp: 36894424 registers.edx: 101787320 registers.ebx: 42520732 registers.esi: 42520952 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1c505 0x4e1c459 0x4e19676 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894376 registers.edi: 43701722 registers.eax: 0 registers.ebp: 36894424 registers.edx: 101787320 registers.ebx: 43701572 registers.esi: 43701792 registers.ecx: 101792672	1
__exception__ Oct. 28, 2021, 11:05 a.m.	stacktrace: 0x4e1c505 0x4e1c459 0x4e19676 0x4e190c7 0x4e15a11 0x4e11487 0x4e111b0 0x4e10056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 mscorlib+0x95a1ac @ 0x7059a1ac DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72742a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7283cd14 0x91a062 0x56125a 0x5612a5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 19 84 92 6d eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e1a31f registers.esp: 36894376 registers.edi: 44882562 registers.eax: 0 registers.ebp: 36894424 registers.edx: 101787320 registers.ebx: 44882412 registers.esi: 44882632 registers.ecx: 101792672	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00912000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02491000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02493000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0094b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00947000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02494000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00936000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00937000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00945000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00938000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x059af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x059a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x059a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2021, 11:05 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0002b200', u'virtual_address': u'0x000a5000', u'entropy': 7.997796366602558, u'name': u'.data', u'virtual_size': u'0x0002b01c'}

entropy

7.9977963666

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 28, 2021, 11:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: AddressBook base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: Connection Manager base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: EditPlus base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: ENTERPRISE base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: Fontcore base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: Google Chrome base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: IE40 base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: IE4Data base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: IE5BAKEX base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: IEData base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: MobileOptionPack base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: SchedulingAgent base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: WIC base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Oct. 28, 2021, 11:05 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000003a0 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Communicates with host for which no DNS query was performed (1 event)

host

65.108.14.118

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Oct. 28, 2021, 11:05 a.m.	key_handle: 0x00000208 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fragtor.35576
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.8d6c6b
ESET-NOD32	a variant of Win32/Kryptik.HNCG
APEX	Malicious
Kaspersky	UDS:Trojan-Spy.Win32.Stealer.gen
BitDefender	Gen:Variant.Fragtor.35576
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Fragtor.35576
Emsisoft	Gen:Variant.Fragtor.35576 (B)
VIPRE	MultiPlug (v)
McAfee-GW-Edition	BehavesLike.Win32.BadFile.dh
FireEye	Generic.mg.8c957f8e5cc91f64
Sophos	Generic ML PUA (PUA)
MAX	malware (ai score=81)
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:MSIL/RedLine.RPS!MTB
GData	Gen:Variant.Fragtor.35576
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Artemis!8C957F8E5CC9
Malwarebytes	MachineLearning/Anomalous.100%
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZexaF.34236.5KW@aSVbJHd
AVG	FileRepMalware
MaxSecure	Trojan.Malware.300983.susgen

126808361.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All