Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 10:57 a.m.	Nov. 1, 2021, 11:10 a.m.

Size	262.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`41160c159e96fe0d09c15781bd7584c4`
SHA256	`72edd23e253d4ed4363dbb87bee25cffc5fbaa54b810f2cf49c41bfca33034dd`
CRC32	`5331888E`
ssdeep	`6144:HF0IFkOPIaMvYUfB8Xro7PGW5LQHDGxhaYwG:HhkOwamYUpIrIQAhaYp`
PDB Path	C:\tudesomu\joxepin\12\mivexexininicu-gorolenenu\l.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

clapp.exe "C:\Users\test22\AppData\Local\Temp\clapp.exe"
1108
- clapp.exe "C:\Users\test22\AppData\Local\Temp\clapp.exe"
  288

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.29	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.29:36224 -> 192.168.56.101:49204	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 10:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:58 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:58 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:58 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (13 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050c568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050c568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050c5a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050c5a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050c5a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050c5a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050c828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050ce28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050ce68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050ce68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050d168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050d168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050cee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\tudesomu\joxepin\12\mivexexininicu-gorolenenu\l.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2021, 10:58 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.bit

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	AFX_DIALOG_LAYOUT
resource name	None

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x235596a 0x23558e5 0x235183c 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23559f9 registers.esp: 1633768 registers.edi: 39304408 registers.eax: 0 registers.ebp: 1633792 registers.edx: 5147592 registers.ebx: 38160680 registers.esi: 39304588 registers.ecx: 0	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x2357d37 0x2357c79 0x2357383 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633496 registers.edi: 40389738 registers.eax: 0 registers.ebp: 1633544 registers.edx: 96541600 registers.ebx: 40389588 registers.esi: 40389808 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x2357d37 0x2357c79 0x2357383 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633496 registers.edi: 41454522 registers.eax: 0 registers.ebp: 1633544 registers.edx: 96541600 registers.ebx: 41454372 registers.esi: 41454592 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x2357d37 0x2357c79 0x2357383 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633496 registers.edi: 42494458 registers.eax: 0 registers.ebp: 1633544 registers.edx: 96541600 registers.ebx: 42494308 registers.esi: 42494528 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x2359bb6 0x2359b09 0x2357410 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633488 registers.edi: 39887382 registers.eax: 0 registers.ebp: 1633536 registers.edx: 96541600 registers.ebx: 39887232 registers.esi: 39887452 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x2359bb6 0x2359b09 0x2357410 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633488 registers.edi: 41006946 registers.eax: 0 registers.ebp: 1633536 registers.edx: 96541600 registers.ebx: 41006796 registers.esi: 41007016 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x2359bb6 0x2359b09 0x2357410 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633488 registers.edi: 39858422 registers.eax: 0 registers.ebp: 1633536 registers.edx: 96541600 registers.ebx: 39858272 registers.esi: 39858492 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x235a0c5 0x235a019 0x2357488 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633492 registers.edi: 40978078 registers.eax: 0 registers.ebp: 1633540 registers.edx: 96541600 registers.ebx: 40977928 registers.esi: 40978148 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x235a0c5 0x235a019 0x2357488 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633492 registers.edi: 42156798 registers.eax: 0 registers.ebp: 1633540 registers.edx: 96541600 registers.ebx: 42156648 registers.esi: 42156868 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x235a0c5 0x235a019 0x2357488 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633492 registers.edi: 43335518 registers.eax: 0 registers.ebp: 1633540 registers.edx: 96541600 registers.ebx: 43335368 registers.esi: 43335588 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x235a4b5 0x235a409 0x23574f6 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633492 registers.edi: 39738786 registers.eax: 0 registers.ebp: 1633540 registers.edx: 96541600 registers.ebx: 39738636 registers.esi: 39738856 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x235a4b5 0x235a409 0x23574f6 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633492 registers.edi: 40919626 registers.eax: 0 registers.ebp: 1633540 registers.edx: 96541600 registers.ebx: 40919476 registers.esi: 40919696 registers.ecx: 96546952	1
__exception__ Nov. 1, 2021, 10:58 a.m.	stacktrace: 0x235a4b5 0x235a409 0x23574f6 0x2356f0a 0x2355e99 0x23518a6 0x2351590 0x2350426 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d 0x2350398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x725b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x725b1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd mscorlib+0x9873b1 @ 0x705c73b1 mscorlib+0x97b352 @ 0x705bb352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72532a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7262cd14 0x49a062 clapp+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 99 a5 1d 70 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x235819f registers.esp: 1633492 registers.edi: 42100466 registers.eax: 0 registers.ebp: 1633540 registers.edx: 96541600 registers.ebx: 42100316 registers.esi: 42100536 registers.ecx: 96546952	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 64 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 10:57 a.m.	process_identifier: 1108 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 1108 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72532000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cf7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cf5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ceb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ced000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0511f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02351000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02353000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cdd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02354000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02355000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00031400', u'virtual_address': u'0x00001000', u'entropy': 7.796502847071875, u'name': u'.text', u'virtual_size': u'0x00031203'}

entropy

7.79650284707

description

A section with a high entropy has been found

entropy

0.753346080306

description

Overall entropy of this PE file is high

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: AddressBook base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: Connection Manager base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: EditPlus base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: Fontcore base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: Google Chrome base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: IE40 base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: IE4Data base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: IEData base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: WIC base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Nov. 1, 2021, 10:58 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000458 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.29

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Executes one or more WMI queries (7 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2021, 10:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 288 process_handle: 0x00000080	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 10:58 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1108 called NtSetContextThread to modify thread in remote process 288
NtSetContextThread Nov. 1, 2021, 10:58 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 288	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1108 resumed a thread in remote process 288
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 288	1	0	0

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 1, 2021, 10:58 a.m.	thread_identifier: 2084 thread_handle: 0x0000007c process_identifier: 288 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\clapp.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\clapp.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\clapp.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Nov. 1, 2021, 10:58 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 288 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 288 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Nov. 1, 2021, 10:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 288 process_handle: 0x00000080	1	1
NtSetContextThread Nov. 1, 2021, 10:58 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000420 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x0000049c suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 288	1	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fragtor.36858
FireEye	Generic.mg.41160c159e96fe0d
McAfee	Artemis!41160C159E96
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7GW	Hacktool ( 700007861 )
Cybereason	malicious.aff642
BitDefenderTheta	Gen:NN.ZexaF.34236.qu0@a09KQhiG
Cyren	W32/Kryptik.FOQ.gen!Eldorado
Symantec	Packed.Generic.528
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan-Spy.Win32.Stealer.gen
BitDefender	Gen:Variant.Fragtor.36858
Rising	Malware.Heuristic!ET#98% (RDMK:cmRtazoRi3ADv7SS0urz/npR3KnQ)
Ad-Aware	Gen:Variant.Fragtor.36858
Emsisoft	Gen:Variant.Fragtor.36858 (B)
McAfee-GW-Edition	BehavesLike.Win32.Worm.dc
Sophos	ML/PE-A + Troj/Krypt-BO
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=80)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Fragtor.36858
Cynet	Malicious (score: 100)
Acronis	suspicious
VBA32	Malware-Cryptor.2LA.gen
Ikarus	Trojan.Win32.Crypt
eGambit	Unsafe.AI_Score_99%
CrowdStrike	win/malicious_confidence_100% (D)
MaxSecure	Trojan.Malware.300983.susgen

clapp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All