Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2023, 5:07 p.m.	April 28, 2023, 5:09 p.m.

Size	3.0MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`4b32941cd92e048e6a2d16c6069edf62`
SHA256	`a1dc10eaa3d8eb09dfcb58123a48484639301d86165a8e3c76747cc04a2bf67d`
CRC32	`29FD6B19`
ssdeep	`98304:6fFbrdnYUGkQqOSlBk1G4QBeKW0wnpTX5OIX:6fFbhBMqOxFgW3nRr`
Yara	UPX_Zero - UPX packed file MPRESS_Zero - MPRESS packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature

vpn.exe "C:\Users\test22\AppData\Local\Temp\vpn.exe"
2552
- cmd.exe cmd.exe /c "wmic csproduct get uuid"
  2676
  - WMIC.exe wmic csproduct get uuid
    2744
- WMIC.exe wmic os get Caption
  2852
- cmd.exe cmd /C "wmic path win32_VideoController get name"
  2948
  - WMIC.exe wmic path win32_VideoController get name
    3012
- cmd.exe cmd /C "wmic cpu get name"
  1120
  - WMIC.exe wmic cpu get name
    800
- cmd.exe cmd "/c " systeminfo
  152
  - systeminfo.exe systeminfo
    2212
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\" \"C:\Users\test22\AppData\Local\Temp\XVlBzgbaiC\""
  2608
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies\" \"C:\Users\test22\AppData\Local\Temp\MRAjWwhTHc\""
  2796
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\tcuAxhxKQFDaFpL\""
  2912
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\test22\AppData\Local\Temp\SjFbcXoEFf\""
  1152
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\RsWxPLDnJObCsNV\""
  1400
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\test22\AppData\Local\Temp\lgTeMaPEZQ\""
  2328
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\leQYhYzRyWJjPjz\""
  1560
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\test22\AppData\Local\Temp\pfRFEgmota\""
  2848
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\FetHsbZRjxAwnwe\""
  2924
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\krBEmfdzdc\""
  2856
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\EkXBAkjQZLCtTMt\""
  1264
- powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Microsoft\Windows\History\" \"C:\Users\test22\AppData\Local\Temp\TCoaNatyyi\""
  300

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
94.142.138.215	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 93 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 504 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005097c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005097c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005097c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050a448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002645d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002645d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002645d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2023, 5:07 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

One or more processes crashed (11 events)

Time & API	Arguments	Status
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: vpn+0x5b7249 @ 0x677249 vpn+0x597a3a @ 0x657a3a exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 12254820 registers.edi: 4349952 registers.eax: 12254820 registers.ebp: 12254900 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 1995994155 registers.ecx: 2063728640	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: exception.instruction_r: ed e9 70 dd 01 00 c3 e9 47 5a f9 ff e9 10 6c e0 exception.symbol: vpn+0x5cb0e7 exception.instruction: in eax, dx exception.module: vpn.exe exception.exception_code: 0xc0000096 exception.offset: 6074599 exception.address: 0x68b0e7 registers.esp: 12254940 registers.edi: 16854413 registers.eax: 1750617430 registers.ebp: 4349952 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: exception.instruction_r: ed e9 80 fd fe ff bf 07 fe ff 29 00 f0 6c 96 e9 exception.symbol: vpn+0x5d3491 exception.instruction: in eax, dx exception.module: vpn.exe exception.exception_code: 0xc0000096 exception.offset: 6108305 exception.address: 0x693491 registers.esp: 12254940 registers.edi: 16854413 registers.eax: 1447909480 registers.ebp: 4349952 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 39120544 registers.edi: 3736356 registers.eax: 39120544 registers.ebp: 39120624 registers.edx: 53 registers.ebx: 39120908 registers.esi: 2147746133 registers.ecx: 3498224	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73536f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73536e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x735327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73532652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7353253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73532411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x735325ab wmic+0x39c80 @ 0x219c80 wmic+0x3b06a @ 0x21b06a wmic+0x3b1f8 @ 0x21b1f8 wmic+0x36fcd @ 0x216fcd wmic+0x3d6e9 @ 0x21d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1435840 registers.edi: 1953561104 registers.eax: 1435840 registers.ebp: 1435920 registers.edx: 1 registers.ebx: 3467812 registers.esi: 2147746133 registers.ecx: 1607433805	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 41414744 registers.edi: 5694020 registers.eax: 41414744 registers.ebp: 41414824 registers.edx: 53 registers.ebx: 41415108 registers.esi: 2147746133 registers.ecx: 5464144	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73396f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73396e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x733927a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73392652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7339253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73392411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x733925ab wmic+0x39c80 @ 0xc59c80 wmic+0x3b06a @ 0xc5b06a wmic+0x3b1f8 @ 0xc5b1f8 wmic+0x36fcd @ 0xc56fcd wmic+0x3d6e9 @ 0xc5d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2287736 registers.edi: 1953561104 registers.eax: 2287736 registers.ebp: 2287816 registers.edx: 1 registers.ebx: 5433892 registers.esi: 2147746133 registers.ecx: 1606586014	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 43315700 registers.edi: 4978804 registers.eax: 43315700 registers.ebp: 43315780 registers.edx: 53 registers.ebx: 43316064 registers.esi: 2147746133 registers.ecx: 4743552	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x732d6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x732d6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x732d27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x732d2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x732d253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x732d2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x732d25ab wmic+0x39c80 @ 0xc9c80 wmic+0x3b06a @ 0xcb06a wmic+0x3b1f8 @ 0xcb1f8 wmic+0x36fcd @ 0xc6fcd wmic+0x3d6e9 @ 0xcd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1828768 registers.edi: 1953561104 registers.eax: 1828768 registers.ebp: 1828848 registers.edx: 1 registers.ebx: 4713196 registers.esi: 2147746133 registers.ecx: 1610019267	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 48099304 registers.edi: 6875260 registers.eax: 48099304 registers.ebp: 48099384 registers.edx: 6587156 registers.ebx: 48099668 registers.esi: 2147746133 registers.ecx: 6644000	1
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x732d6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x732d6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x732d27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x732d2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x732d253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x732d2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x732d25ab wmic+0x39c80 @ 0xb59c80 wmic+0x3b06a @ 0xb5b06a wmic+0x3b1f8 @ 0xb5b1f8 wmic+0x36fcd @ 0xb56fcd wmic+0x3d6e9 @ 0xb5d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2549776 registers.edi: 1953561104 registers.eax: 2549776 registers.ebp: 2549856 registers.edx: 1 registers.ebx: 6613676 registers.esi: 2147746133 registers.ecx: 1609244494	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1571 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1662976 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1200128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00257000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 294912 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00408000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1662976 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1200128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00257000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 487424 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72711000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72712000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 1710 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\it
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\id
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\mr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\fr
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ru
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_platform_specific\x86_64\pnacl_public_pnacl_json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ro
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ko
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\kn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\km
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ka
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\it\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ro\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs

Foreign language identified in PE resource (50 out of 75 events)

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00814f64

size

0x00000002

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00816a7c

size

0x00000134

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081c9d0

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081c9d0

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081c9d0

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081c9d0

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081c9d0

size

0x00000144

name

RT_MENU

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081cb14

size

0x00000042

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081d0e8

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081d0e8

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081d0e8

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081d0e8

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081d0e8

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081d0e8

size

0x00000034

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

name

RT_STRING

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0081e048

size

0x00000294

Creates a shortcut to an executable file (50 out of 54 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open1.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\office_2007.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\SendTo\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\테스트.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\Website.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\sn.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\readme.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시리얼넘버.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\age.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Python27.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품) (2).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시작프로그램.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\다운로드.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\1234.zip.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exit.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk

Creates a suspicious process (19 events)

cmdline	cmd.exe /c "wmic csproduct get uuid"
cmdline	cmd /C "wmic cpu get name"
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\FetHsbZRjxAwnwe\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\test22\AppData\Local\Temp\lgTeMaPEZQ\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\" \"C:\Users\test22\AppData\Local\Temp\XVlBzgbaiC\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Microsoft\Windows\History\" \"C:\Users\test22\AppData\Local\Temp\TCoaNatyyi\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\test22\AppData\Local\Temp\SjFbcXoEFf\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\RsWxPLDnJObCsNV\""
cmdline	wmic os get Caption
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\test22\AppData\Local\Temp\pfRFEgmota\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\tcuAxhxKQFDaFpL\""
cmdline	wmic csproduct get uuid
cmdline	wmic path win32_VideoController get name
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies\" \"C:\Users\test22\AppData\Local\Temp\MRAjWwhTHc\""
cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\krBEmfdzdc\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\leQYhYzRyWJjPjz\""
cmdline	wmic cpu get name
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\EkXBAkjQZLCtTMt\""

Executes one or more WMI queries (4 events)

wmi	SELECT UUID FROM Win32_ComputerSystemProduct
wmi	SELECT Name FROM win32_VideoController
wmi	SELECT Caption FROM Win32_OperatingSystem
wmi	SELECT Name FROM WIN32_PROCESSOR

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00302a00', u'virtual_address': u'0x00001000', u'entropy': 7.999944478445648, u'name': u'.MPRESS1', u'virtual_size': u'0x0081e000'}

entropy

7.99994447845

description

A section with a high entropy has been found

entropy

0.99725008088

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (12 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	cmd.exe /c "wmic csproduct get uuid"
cmdline	cmd /C "wmic cpu get name"
cmdline	cmd "/c " systeminfo
cmdline	wmic os get Caption
cmdline	systeminfo
cmdline	wmic csproduct get uuid
cmdline	wmic path win32_VideoController get name
cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	wmic cpu get name

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	SELECT Name FROM WIN32_PROCESSOR
wmi	SELECT UUID FROM Win32_ComputerSystemProduct

Communicates with host for which no DNS query was performed (1 event)

host

94.142.138.215

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 28, 2023, 5:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA April 28, 2023, 5:07 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

A potential heapspray has been detected. 111 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1779

name

heapspray

process

powershell.exe

total_mb

111

length

65536

protection

PAGE_READWRITE

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Collects information on the system (ipconfig, netstat, systeminfo) (1 event)

cmdline

cmd "/c " systeminfo

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 28, 2023, 5:07 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 28, 2023, 5:07 p.m.	stacktrace: exception.instruction_r: ed e9 80 fd fe ff bf 07 fe ff 29 00 f0 6c 96 e9 exception.symbol: vpn+0x5d3491 exception.instruction: in eax, dx exception.module: vpn.exe exception.exception_code: 0xc0000096 exception.offset: 6108305 exception.address: 0x693491 registers.esp: 12254940 registers.edi: 16854413 registers.eax: 1447909480 registers.ebp: 4349952 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress April 28, 2023, 5:07 p.m.	ordinal: 0 function_address: 0x00bafda5 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win32.Generic.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.66661667
FireEye	Generic.mg.4b32941cd92e048e
McAfee	Artemis!4B32941CD92E
Cylance	unsafe
Sangfor	Infostealer.Win32.Coins.Vmii
K7AntiVirus	Trojan ( 00593ee01 )
Alibaba	TrojanPSW:Win32/Coins.6cac7513
K7GW	Trojan ( 00593ee01 )
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/ABRisk.RUMD-4075
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.IDS
Cynet	Malicious (score: 99)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win32.Coins.afke
BitDefender	Trojan.GenericKD.66661667
Avast	Win32:Evo-gen [Trj]
Rising	Stealer.Coins!8.133E9 (CLOUD)
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/PSW.Coins.zbqnj
VIPRE	Trojan.GenericKD.66661667
TrendMicro	TrojanSpy.Win32.AURORASTEALER.YXDDZZ
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
Emsisoft	Trojan.GenericKD.66661667 (B)
Avira	TR/PSW.Coins.zbqnj
Antiy-AVL	Trojan[Packed]/Win32.Themida
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Gridinsoft	Malware.Win32.Aurora.bot
Arcabit	Trojan.Generic.D3F92D23
ZoneAlarm	Trojan-PSW.Win32.Coins.afke
GData	Trojan.GenericKD.66661667
Google	Detected
BitDefenderTheta	Gen:NN.ZexaF.36164.cpwaauQAXYgO
ALYac	Trojan.GenericKD.66661667
MAX	malware (ai score=83)
Malwarebytes	Trojan.Packed.MPRESS
Panda	Trj/Chgt.AD
Zoner	Trojan.Win32.133812
TrendMicro-HouseCall	TrojanSpy.Win32.AURORASTEALER.YXDDZZ
Tencent	Win32.Trojan-QQPass.QQRob.Dflw
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS

vpn.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All