Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 20, 2022, 11:22 a.m.	Jan. 20, 2022, 11:24 a.m.

Size	581.0KB
Type	MS-DOS executable
MD5	`965e83dcd89fe1e42fa4b620691a354e`
SHA256	`5a89c6bb26a9d65d713138be27feeb19b7db3c5846dc387cafcbd22028498d2f`
CRC32	`71C69E04`
ssdeep	`12288:5Ne02Hef3IHzTyNVRL0SJmeZ8wpJUzHbh:neiAf0VRHJH+wpSzF`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file

7390_1642600879_2389.exe "C:\Users\test22\AppData\Local\Temp\7390_1642600879_2389.exe"
2792

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
37.9.13.169	Active	Moloch
51.255.48.204	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2022, 11:22 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 96 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0
IsDebuggerPresent Jan. 20, 2022, 11:22 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b01a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b0be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b0be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b01a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b06e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b09a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 20, 2022, 11:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b09a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 20, 2022, 11:22 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	BSS
section	.gfids

One or more processes crashed (50 out of 217 events)

Time & API	Arguments	Status
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 10 eb 02 87 3d 64 8f 00 eb 03 ba 5f 09 83 c4 exception.symbol: 7390_1642600879_2389+0x5a062 exception.instruction: mov edx, dword ptr [eax] exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc0000005 exception.offset: 368738 exception.address: 0x116a062 registers.esp: 1441168 registers.edi: 0 registers.eax: 0 registers.ebp: 1441188 registers.edx: 18259968 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 00 eb 03 81 74 62 64 8f 00 eb 03 8e 9d b8 83 exception.symbol: 7390_1642600879_2389+0x5ac87 exception.instruction: mov eax, dword ptr [eax] exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc0000005 exception.offset: 371847 exception.address: 0x116ac87 registers.esp: 1441136 registers.edi: 0 registers.eax: 0 registers.ebp: 1441188 registers.edx: 3455315681 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: exception.instruction_r: cd 01 40 40 eb 04 81 9b 68 c9 85 c0 eb 02 a2 c8 exception.symbol: 7390_1642600879_2389+0x70f13 exception.instruction: int 1 exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc0000005 exception.offset: 462611 exception.address: 0x1180f13 registers.esp: 1441128 registers.edi: 18353797 registers.eax: 0 registers.ebp: 4293281633 registers.edx: 0 registers.ebx: 18261525 registers.esi: 18261525 registers.ecx: 18354033	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: exception.instruction_r: 8b 0a eb 02 25 d5 e9 a5 fb ff ff eb 01 d2 8b 4d exception.symbol: 7390_1642600879_2389+0x5caa4 exception.instruction: mov ecx, dword ptr [edx] exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc0000005 exception.offset: 379556 exception.address: 0x116caa4 registers.esp: 1441136 registers.edi: 18345201 registers.eax: 0 registers.ebp: 4293287011 registers.edx: 0 registers.ebx: 4128768 registers.esi: 18261525 registers.ecx: 61994	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: exception.instruction_r: 0f 0b eb 03 b9 74 8c 0f 0b eb 03 ea 50 a5 e9 bc exception.symbol: 7390_1642600879_2389+0x5c862 exception.instruction: ud2 exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc000001d exception.offset: 378978 exception.address: 0x116c862 registers.esp: 1441136 registers.edi: 4521984 registers.eax: 1963101756 registers.ebp: 4293287011 registers.edx: 4521984 registers.ebx: 4128768 registers.esi: 4522212 registers.ecx: 0	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x64795 @ 0x1174795 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x4001000a exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 1440680 registers.edi: 4146572 registers.eax: 1440680 registers.ebp: 1440760 registers.edx: 0 registers.ebx: 4522212 registers.esi: 4538480 registers.ecx: 4	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x454190 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x454300 registers.esp: 1440776 registers.edi: 4147540 registers.eax: 1 registers.ebp: 1440788 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 2020557398	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: 8b 00 90 90 f8 eb 03 87 25 cc 73 48 eb 05 82 15 exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4541c0 registers.esp: 1440800 registers.edi: 4147540 registers.eax: 0 registers.ebp: 1441116 registers.edx: 2 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 2130563072	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: 90 f8 eb 03 87 25 cc 73 48 eb 05 82 15 64 6d 8b exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x4541c3 registers.esp: 1440800 registers.edi: 4147540 registers.eax: 0 registers.ebp: 1441116 registers.edx: 2 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 2130563072	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: cc eb 04 0d e8 6c c3 33 c9 78 e1 8b 43 70 eb 02 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x454198 registers.esp: 1440796 registers.edi: 4149552 registers.eax: 0 registers.ebp: 1441116 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 1440796 registers.ecx: 170	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: cd 01 40 40 eb 03 db b4 86 85 c0 eb 04 bc fa 54 exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x455cf0 registers.esp: 1440800 registers.edi: 4157116 registers.eax: 0 registers.ebp: 1441116 registers.edx: 4545998 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 18269646	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: 0f 0b eb 04 d0 ae 3f 1d 0f 0b eb 04 db a0 ae 79 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x457516 registers.esp: 1440800 registers.edi: 4170200 registers.eax: 0 registers.ebp: 1441116 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 235	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x77686ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77686a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73eb482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77650143 7390_1642600879_2389+0x5c986 @ 0x116c986 exception.instruction_r: f7 f0 eb 04 a2 99 4e 39 eb 03 c8 2b 5f eb 05 01 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x457695 registers.esp: 1439008 registers.edi: 0 registers.eax: 0 registers.ebp: 1439024 registers.edx: 18269646 registers.ebx: 4552237 registers.esi: 0 registers.ecx: 1439676	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: exception.instruction_r: 8b 0a eb 01 d9 e9 74 01 00 00 eb 01 c8 8b 55 08 exception.symbol: 7390_1642600879_2389+0x5e799 exception.instruction: mov ecx, dword ptr [edx] exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc0000005 exception.offset: 386969 exception.address: 0x116e799 registers.esp: 1441136 registers.edi: 4184224 registers.eax: 92 registers.ebp: 4293293084 registers.edx: 0 registers.ebx: 4128768 registers.esi: 4522212 registers.ecx: 0	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5f5d2 @ 0x116f5d2 exception.instruction_r: f7 f1 eb 01 db e9 f1 02 00 00 eb 03 fe 81 14 8b exception.symbol: 7390_1642600879_2389+0x5ec10 exception.instruction: div ecx exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc0000094 exception.offset: 388112 exception.address: 0x116ec10 registers.esp: 1441024 registers.edi: 4184224 registers.eax: 1365210117 registers.ebp: 1441116 registers.edx: 18281456 registers.ebx: 4522212 registers.esi: 17891328 registers.ecx: 0	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: exception.instruction_r: f7 f9 eb 01 38 e9 51 09 00 00 eb 03 ba 6d ea 0f exception.symbol: 7390_1642600879_2389+0x5ec58 exception.instruction: idiv ecx exception.module: 7390_1642600879_2389.exe exception.exception_code: 0xc0000094 exception.offset: 388184 exception.address: 0x116ec58 registers.esp: 1441136 registers.edi: 4422852 registers.eax: 4422852 registers.ebp: 4293293084 registers.edx: 2130566132 registers.ebx: 4128768 registers.esi: 4522212 registers.ecx: 0	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 8b c2 eb 05 d8 b0 90 ad 07 55 8b 60 83 6c 24 20 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x45e86d registers.esp: 1440788 registers.edi: 4437880 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4580860 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 02 f1 8a eb 03 3b b6 fc cc eb 05 11 83 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45e7a9 registers.esp: 1440788 registers.edi: 4437880 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4580860 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb b7 eb 01 fe eb 01 b2 33 d2 72 30 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45e7e0 registers.esp: 1440788 registers.edi: 4437880 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4580860 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x45e684 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45e7f4 registers.esp: 1440776 registers.edi: 4439168 registers.eax: 1 registers.ebp: 1440788 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 2020557398	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 8b 00 90 90 f8 eb 03 87 25 cc 73 48 eb 05 82 15 exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x45e6b4 registers.esp: 1440800 registers.edi: 4439168 registers.eax: 0 registers.ebp: 1441116 registers.edx: 2 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 2130563072	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 90 f8 eb 03 87 25 cc 73 48 eb 05 82 15 64 6d 8b exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x45e6b7 registers.esp: 1440800 registers.edi: 4439168 registers.eax: 0 registers.ebp: 1441116 registers.edx: 2 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 2130563072	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f b7 53 06 eb 03 3d 6d ae c1 e2 10 eb 05 d3 2d exception.instruction: movzx edx, word ptr [ebx + 6] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x45e684 registers.esp: 1440784 registers.edi: 4522212 registers.eax: 0 registers.ebp: 1440812 registers.edx: 1440804 registers.ebx: 67154072 registers.esi: 4293342741 registers.ecx: 227	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: cd 01 40 40 eb 03 db b4 86 85 c0 eb 04 bc fa 54 exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x45e660 registers.esp: 1440800 registers.edi: 4441228 registers.eax: 0 registers.ebp: 1441116 registers.edx: 4581182 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 18269646	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 8b c2 eb 05 d8 b0 90 ad 07 55 8b 60 eb 01 9f 83 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x45f3e1 registers.esp: 1440788 registers.edi: 4444756 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4583792 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 8b c2 eb 05 d8 b0 90 ad 07 55 8b 60 eb 01 9f 83 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x45f3e1 registers.esp: 1440788 registers.edi: 4444756 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4583792 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 8b c2 eb 05 d8 b0 90 ad 07 55 8b 60 eb 01 9f 83 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x45f3e1 registers.esp: 1440788 registers.edi: 4444756 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4583792 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 8b c2 eb 05 d8 b0 90 ad 07 55 8b 60 eb 01 9f 83 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x45f3e1 registers.esp: 1440788 registers.edi: 4444756 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4583792 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: cc eb 05 11 83 f9 a1 d8 5e 5b 8b e5 5d c3 eb 05 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x45f328 registers.esp: 1440788 registers.edi: 4444756 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4583792 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb b7 eb 01 fe eb 01 b2 33 d2 72 30 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45f354 registers.esp: 1440788 registers.edi: 4444756 registers.eax: 0 registers.ebp: 1440812 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4583792 registers.ecx: 10	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b eb 04 d0 ae 3f 1d 0f 0b eb 04 db a0 ae 79 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45f972 registers.esp: 1440800 registers.edi: 4448956 registers.eax: 0 registers.ebp: 1441116 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 235	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x77686ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77686a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73eb482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77650143 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 04 a2 99 4e 39 eb 03 c8 2b 5f eb 05 01 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45faf1 registers.esp: 1439008 registers.edi: 0 registers.eax: 0 registers.ebp: 1439024 registers.edx: 18269646 registers.ebx: 4586121 registers.esi: 0 registers.ecx: 1439676	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: cc eb 05 c6 a7 53 e5 c6 eb 03 80 2d c6 eb 05 8e exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x45fe0e registers.esp: 17889172 registers.edi: 1987096830 registers.eax: 0 registers.ebp: 17889232 registers.edx: 4525556 registers.ebx: 4522212 registers.esi: 17889172 registers.ecx: 0	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: exception.instruction_r: cc eb 04 ea e1 9d d8 3c 04 eb 03 f0 05 1c 75 52 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x465da3 registers.esp: 1440796 registers.edi: 4475844 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 142	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: cd 68 eb 03 87 bf 05 66 3d 86 f3 eb 04 68 ab a5 exception.instruction: int 0x68 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x465d8b registers.esp: 1440800 registers.edi: 4476408 registers.eax: 17152 registers.ebp: 1441116 registers.edx: 18269646 registers.ebx: 4522212 registers.esi: 4293342741 registers.ecx: 154	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x465d28 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 01 87 eb 1f eb 04 a3 6a ae 18 eb 05 c1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45cb6d registers.esp: 1440440 registers.edi: 4480016 registers.eax: 0 registers.ebp: 1440800 registers.edx: 0 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x465e0c 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 03 00 83 f9 eb 01 8f f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45d7f5 registers.esp: 1440420 registers.edi: 4611620 registers.eax: 0 registers.ebp: 1440780 registers.edx: 4577106 registers.ebx: 4522212 registers.esi: 4577106 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x467c25 0x467acf 0x467449 0x466a9f 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 01 87 eb 1f eb 04 a3 6a ae 18 eb 05 c1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45cb6d registers.esp: 1440084 registers.edi: 4483432 registers.eax: 0 registers.ebp: 1440444 registers.edx: 0 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x467c96 0x467acf 0x467449 0x466a9f 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 03 00 83 f9 eb 01 8f f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45d7f5 registers.esp: 1440084 registers.edi: 4483432 registers.eax: 0 registers.ebp: 1440444 registers.edx: 4577106 registers.ebx: 4522212 registers.esi: 4577106 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x467cbc 0x4676fa 0x46748c 0x466a9f 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 01 87 eb 1f eb 04 a3 6a ae 18 eb 05 c1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45cb6d registers.esp: 1439780 registers.edi: 1440314 registers.eax: 0 registers.ebp: 1440140 registers.edx: 1439928 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x467dcb 0x4676fa 0x46748c 0x466a9f 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 03 00 83 f9 eb 01 8f f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45d7f5 registers.esp: 1439780 registers.edi: 1440314 registers.eax: 0 registers.ebp: 1440140 registers.edx: 4577106 registers.ebx: 4522212 registers.esi: 4577106 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x467cbc 0x46765a 0x4674ee 0x466a9f 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 01 87 eb 1f eb 04 a3 6a ae 18 eb 05 c1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45cb6d registers.esp: 1439776 registers.edi: 1440278 registers.eax: 0 registers.ebp: 1440136 registers.edx: 0 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x467dcb 0x46765a 0x4674ee 0x466a9f 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 03 00 83 f9 eb 01 8f f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45d7f5 registers.esp: 1439776 registers.edi: 1440278 registers.eax: 0 registers.ebp: 1440136 registers.edx: 4577106 registers.ebx: 4522212 registers.esi: 4577106 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x4680c4 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 01 87 eb 1f eb 04 a3 6a ae 18 eb 05 c1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45cb6d registers.esp: 1440440 registers.edi: 4489180 registers.eax: 0 registers.ebp: 1440800 registers.edx: 0 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x468ef7 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 01 87 eb 1f eb 04 a3 6a ae 18 eb 05 c1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45cb6d registers.esp: 1440356 registers.edi: 4489180 registers.eax: 0 registers.ebp: 1440716 registers.edx: 4620484 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x4692a7 0x4687a9 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 03 00 83 f9 eb 01 8f f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45d7f5 registers.esp: 1439948 registers.edi: 4489180 registers.eax: 0 registers.ebp: 1440308 registers.edx: 4577106 registers.ebx: 4522212 registers.esi: 4577106 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x46890a 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 03 00 83 f9 eb 01 8f f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45d7f5 registers.esp: 1440360 registers.edi: 4489180 registers.eax: 0 registers.ebp: 1440720 registers.edx: 4577106 registers.ebx: 4522212 registers.esi: 4577106 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x46b347 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 02 ca 49 eb 05 3e f7 aa 59 45 f7 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45cb5e registers.esp: 1439392 registers.edi: 1986955761 registers.eax: 0 registers.ebp: 1439752 registers.edx: 1075839615 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x46b74b 0x46edcf 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: 0f 0b 0f 0b eb 03 00 83 f9 eb 01 8f f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x45d7f5 registers.esp: 1438600 registers.edi: 4279979320 registers.eax: 0 registers.ebp: 1438960 registers.edx: 4577106 registers.ebx: 4522212 registers.esi: 4577106 registers.ecx: 4522212	1
__exception__ Jan. 20, 2022, 11:22 a.m.	stacktrace: 0x46bc98 7390_1642600879_2389+0x715db @ 0x11815db 7390_1642600879_2389+0x5fe3c @ 0x116fe3c exception.instruction_r: f7 f0 eb 01 87 eb 1f eb 04 a3 6a ae 18 eb 05 c1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x45cb6d registers.esp: 1439384 registers.edi: 1986955761 registers.eax: 0 registers.ebp: 1439744 registers.edx: 374 registers.ebx: 4522212 registers.esi: 4573884 registers.ecx: 4522212	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 114 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 262144 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 241664 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01112000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74352000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 331776 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 299008 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 651264 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 258048 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x760c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73472000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c5b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1282048 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x767e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 614400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b8a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b0f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 20, 2022, 11:22 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004f0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 20, 2022, 11:23 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000179dd', u'virtual_address': u'0x0005a000', u'entropy': 7.99716179318894, u'name': u'.text', u'virtual_size': u'0x00018000'}

entropy

7.99716179319

description

A section with a high entropy has been found

entropy

0.479424490383

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 20, 2022, 11:22 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

7390_1642600879_2389.exe

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000390 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: AddressBook base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: Connection Manager base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: EditPlus base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: Fontcore base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: Google Chrome base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: IE40 base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: IE4Data base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: IEData base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: WIC base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Jan. 20, 2022, 11:22 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000390 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (2 events)

host	37.9.13.169
host	51.255.48.204

Checks for the presence of known devices from debuggers and forensic tools (2 events)

file	\??\SICE
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (2 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowW Jan. 20, 2022, 11:22 a.m.	class_name: WinDbgFrameClass window_name:		0	0
FindWindowExW Jan. 20, 2022, 11:22 a.m.	class_name: OLLYDBG child_after_hwnd: 0x00000000 parent_hwnd: 0x00000000 window_name: OllyDBg	1	459066	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Jan. 20, 2022, 11:22 a.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects VirtualBox through the presence of a device (1 event)

file	\??\VBoxGuest

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Stealer.l!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.965e83dcd89fe1e4
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Malware:Win32/km_24aa160.None
Cyren	W32/Trojan.CPMB-0363
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.hc
Webroot	W32.Malware.Gen
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Microsoft	Exploit:Win32/ShellCode!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	RDN/Generic.grp
VBA32	BScope.Trojan.Packed
Rising	Malware.Heuristic!ET#94% (RDMK:cmRtazodymXtQ/UHkNtE2LyZfjZO)
SentinelOne	Static AI - Malicious PE
Fortinet	PossibleThreat.PALLAS.H
BitDefenderTheta	Gen:NN.ZexaF.34160.KqZ@amBWVUoi
AVG	FileRepMalware
Cybereason	malicious.dc73b1
Avast	FileRepMalware
MaxSecure	Trojan.Malware.300983.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	51.255.48.204:80
dead_host	192.168.56.101:49164

7390_1642600879_2389.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All