Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 19, 2023, 5:57 p.m.	May 19, 2023, 6:04 p.m.

Size	1.1MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`55e23e1fe5c4051b85cc6aa7c1399ac8`
SHA256	`cbf7a8e7775c9f7341819ffc7d2a2c2519bd87cd1884a527b249a60995f1fb5b`
CRC32	`231C0A1D`
ssdeep	`24576:5mJZW2wSdIHuiCyhuGaD0y13DrmmfVpd+c2ZAa7ZRaH1F+g4:5mJZW2FIOiCIuGaD0yh/zvd+c2ZAafa7`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) PE_Header_Zero - PE File Signature

compan.exe "C:\Users\test22\AppData\Local\Temp\compan.exe"
2040
- 1507039610.exe C:\Users\test22\AppData\Local\Temp\1507039610.exe
  2164
- 1177007440.exe C:\Users\test22\AppData\Local\Temp\1177007440.exe
  2888
- 990060708.exe C:\Users\test22\AppData\Local\Temp\990060708.exe
  2976
- 1177007440.exe C:\Users\test22\AppData\Local\Temp\1177007440.exe
  1836
- 990060708.exe C:\Users\test22\AppData\Local\Temp\990060708.exe
  2480
- sawalow.exe C:\Users\test22\AppData\Local\Temp\sawalow.exe
  2168
  - AUhCSHCCSCABSAcFaSBcESHbKBEEKUSKaaUCHCbsAhBhCFFFBAsHAUE.exe "C:\Users\test22\AppData\Roaming\AUhCSHCCSCABSAcFaSBcESHbKBEEKUSKaaUCHCbsAhBhCFFFBAsHAUE.exe"
    2780
    - powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2276
    - powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
      1340
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmpC65.tmp.bat""
      2908
      - timeout.exe timeout 3
        748
      - QRBIZUJ.exe "C:\ProgramData\AdobeVegas\QRBIZUJ.exe"
        3052
- cmd.exe "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit
  2992
  - PING.EXE ping 0
    880

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93
operalan.info	A 193.42.110.84	193.42.110.84
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31
ilonamaska.info	A 193.42.108.63	193.42.108.63

IP Address	Status	Action
104.26.12.31	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
193.42.108.63	Active	Moloch
193.42.110.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 193.42.108.63:80	2030880	ET USER_AGENTS Suspicious User-Agent (Installed OK)	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 193.42.108.63:80	2030880	ET USER_AGENTS Suspicious User-Agent (Installed OK)	Potentially Bad Traffic
TCP 193.42.108.63:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.42.108.63:80 -> 192.168.56.103:49162	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49167 -> 104.26.12.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 104.26.12.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.42.108.63:80 -> 192.168.56.103:49168	2014819	ET INFO Packed Executable Download	Misc activity
TCP 193.42.108.63:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.42.108.63:80 -> 192.168.56.103:49168	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49174 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 193.42.108.63:80 -> 192.168.56.103:49168	2014819	ET INFO Packed Executable Download	Misc activity
TCP 193.42.108.63:80 -> 192.168.56.103:49168	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 193.42.108.63:80 -> 192.168.56.103:49168	2014819	ET INFO Packed Executable Download	Misc activity
TCP 193.42.108.63:80 -> 192.168.56.103:49168	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49173 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 193.42.108.63:80	2030880	ET USER_AGENTS Suspicious User-Agent (Installed OK)	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49167 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8b:21:8f:0f:6e:2d:53:34:b7:d3:f5:58:58:99:01:63:93:81:e6:f1
TLSv1 192.168.56.103:49165 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8b:21:8f:0f:6e:2d:53:34:b7:d3:f5:58:58:99:01:63:93:81:e6:f1

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 19, 2023, 5:50 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:57 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:57 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:57 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:57 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:57 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:57 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:58 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:58 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:58 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:58 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:58 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:59 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:59 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:59 p.m.			0	0
IsDebuggerPresent May 19, 2023, 5:59 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 19, 2023, 5:59 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 60 events)

Time & API	Arguments	Status	Return
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0a2a1ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001dd460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f590 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f590 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f4b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f4b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f4b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f4b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f9f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f9f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b21f9f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c6730 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c6730 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c6730 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001c68f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000034da00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e5c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e5c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e4e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e4e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e4e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e4e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55ea20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55ea20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55ea20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 19, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000323990 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 19, 2023, 5:57 p.m.		1	1	0

One or more processes crashed (50 out of 126 events)

Time & API	Arguments	Status
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 1507039610+0x2d20b9 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2957497 exception.address: 0x11b20b9 registers.esp: 3407280 registers.edi: 0 registers.eax: 1 registers.ebp: 3407296 registers.edx: 20332544 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: 66 81 38 4d 5a 75 0e 0f b7 50 3c 01 c2 81 3a 50 exception.symbol: 1507039610+0x299a6 exception.instruction: cmp word ptr [eax], 0x5a4d exception.module: 1507039610.exe exception.exception_code: 0xc0000005 exception.offset: 170406 exception.address: 0xf099a6 registers.esp: 3407240 registers.edi: 0 registers.eax: 15601664 registers.ebp: 3891298324 registers.edx: 163840 registers.ebx: 0 registers.esi: 0 registers.ecx: 163840	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 55 e9 52 01 00 00 2d 00 e0 3d 73 8b 1c 24 e9 exception.symbol: 1507039610+0x2a44a exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 173130 exception.address: 0xf0a44a registers.esp: 3407248 registers.edi: 0 registers.eax: 26275 registers.ebp: 3891298324 registers.edx: 15597568 registers.ebx: 48727 registers.esi: 235753 registers.ecx: 15772286	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 57 81 ec 04 00 00 00 54 8f 04 24 81 04 24 04 exception.symbol: 1507039610+0x2b112 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 176402 exception.address: 0xf0b112 registers.esp: 3407248 registers.edi: 0 registers.eax: 15799059 registers.ebp: 3891298324 registers.edx: 775001964 registers.ebx: 1980856900 registers.esi: 235753 registers.ecx: 15772286	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 52 c7 04 24 a2 50 exception.symbol: 1507039610+0x2b812 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 178194 exception.address: 0xf0b812 registers.esp: 3407248 registers.edi: 0 registers.eax: 15776391 registers.ebp: 3891298324 registers.edx: 775001964 registers.ebx: 1980856900 registers.esi: 1259 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 53 89 04 24 56 be 4e 7e fb 7a 81 ee 5a 3b de exception.symbol: 1507039610+0x1a5987 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1726855 exception.address: 0x1085987 registers.esp: 3407248 registers.edi: 15808870 registers.eax: 30983 registers.ebp: 3891298324 registers.edx: 106496 registers.ebx: 4294939472 registers.esi: 604801365 registers.ecx: 17352794	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 c7 04 24 28 f6 83 exception.symbol: 1507039610+0x1abc1d exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1752093 exception.address: 0x108bc1d registers.esp: 3407244 registers.edi: 0 registers.eax: 17348149 registers.ebp: 3891298324 registers.edx: 3539316 registers.ebx: 17343717 registers.esi: 186775669 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb e9 34 01 00 00 81 f1 bf 6b 1d 19 50 89 2c 24 exception.symbol: 1507039610+0x1ab80c exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1751052 exception.address: 0x108b80c registers.esp: 3407248 registers.edi: 4294941980 registers.eax: 17375740 registers.ebp: 3891298324 registers.edx: 3539316 registers.ebx: 17343717 registers.esi: 1259 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 51 54 59 e9 f0 00 00 00 83 ec 04 89 34 24 89 exception.symbol: 1507039610+0x1ae6b2 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1762994 exception.address: 0x108e6b2 registers.esp: 3407248 registers.edi: 17361447 registers.eax: 134889 registers.ebp: 3891298324 registers.edx: 3539316 registers.ebx: 808259705 registers.esi: 0 registers.ecx: 808259705	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 ba 0d 00 00 c7 04 24 exception.symbol: 1507039610+0x1b4fe7 exception.instruction: in eax, dx exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1789927 exception.address: 0x1094fe7 registers.esp: 3407240 registers.edi: 3550777 registers.eax: 1447909480 registers.ebp: 3891298324 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 17382884 registers.ecx: 20	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 1507039610+0x1b44a5 exception.address: 0x10944a5 exception.module: 1507039610.exe exception.exception_code: 0xc000001d exception.offset: 1787045 registers.esp: 3407240 registers.edi: 3550777 registers.eax: 1 registers.ebp: 3891298324 registers.edx: 22104 registers.ebx: 0 registers.esi: 17382884 registers.ecx: 20	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 a7 2b 00 19 01 exception.symbol: 1507039610+0x1b8822 exception.instruction: in eax, dx exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1804322 exception.address: 0x1098822 registers.esp: 3407240 registers.edi: 3550777 registers.eax: 1447909480 registers.ebp: 3891298324 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 17382884 registers.ecx: 10	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 51 e9 01 01 00 00 51 b9 15 a9 fe 5b 81 c1 67 exception.symbol: 1507039610+0x1bcf25 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1822501 exception.address: 0x109cf25 registers.esp: 3407248 registers.edi: 3550777 registers.eax: 1375758944 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 60119437 registers.esi: 17421115 registers.ecx: 1078263808	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 56 e8 03 00 00 00 20 5e c3 5e exception.symbol: 1507039610+0x1bd538 exception.instruction: int 1 exception.module: 1507039610.exe exception.exception_code: 0xc0000005 exception.offset: 1824056 exception.address: 0x109d538 registers.esp: 3407208 registers.edi: 0 registers.eax: 3407208 registers.ebp: 3891298324 registers.edx: 2858221611 registers.ebx: 17421987 registers.esi: 1106597643 registers.ecx: 505643315	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 51 b9 d6 1b c7 7c 50 68 60 00 7f 26 e9 ef f9 exception.symbol: 1507039610+0x1c4e9f exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1855135 exception.address: 0x10a4e9f registers.esp: 3407244 registers.edi: 3550777 registers.eax: 28890 registers.ebp: 3891298324 registers.edx: 654654 registers.ebx: 1982511643 registers.esi: 17450151 registers.ecx: 17441274	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 53 50 c7 04 24 80 4c 65 7d f7 14 24 81 34 24 exception.symbol: 1507039610+0x1c44dd exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1852637 exception.address: 0x10a44dd registers.esp: 3407248 registers.edi: 3550777 registers.eax: 28890 registers.ebp: 3891298324 registers.edx: 654654 registers.ebx: 1982511643 registers.esi: 17479041 registers.ecx: 17441274	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 55 e9 0d fd ff ff 8b 2c 24 83 c4 04 89 2a e9 exception.symbol: 1507039610+0x1c4e87 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1855111 exception.address: 0x10a4e87 registers.esp: 3407248 registers.edi: 3550777 registers.eax: 28890 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 1982511643 registers.esi: 17453245 registers.ecx: 2179434839	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 55 54 e9 74 fa ff ff 68 f5 3e dc 03 89 14 24 exception.symbol: 1507039610+0x1ce5f2 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1893874 exception.address: 0x10ae5f2 registers.esp: 3407244 registers.edi: 15765498 registers.eax: 17489712 registers.ebp: 3891298324 registers.edx: 6 registers.ebx: 60119656 registers.esi: 1971262480 registers.ecx: 6	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb ba cc 0a 64 1b e9 cb f9 ff ff 5c 93 53 bb ff exception.symbol: 1507039610+0x1ce9ed exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1894893 exception.address: 0x10ae9ed registers.esp: 3407248 registers.edi: 15765498 registers.eax: 17492543 registers.ebp: 3891298324 registers.edx: 6 registers.ebx: 0 registers.esi: 1179202795 registers.ecx: 6	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 57 50 b8 5f 64 be 43 53 e9 a0 01 00 00 52 89 exception.symbol: 1507039610+0x1d34d4 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1914068 exception.address: 0x10b34d4 registers.esp: 3407236 registers.edi: 15765498 registers.eax: 32480 registers.ebp: 3891298324 registers.edx: 2109079749 registers.ebx: 17509531 registers.esi: 1179202795 registers.ecx: 1788480250	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 e9 63 00 00 00 83 c4 04 e9 exception.symbol: 1507039610+0x1d32be exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1913534 exception.address: 0x10b32be registers.esp: 3407240 registers.edi: 0 registers.eax: 32480 registers.ebp: 3891298324 registers.edx: 59730 registers.ebx: 17512331 registers.esi: 1179202795 registers.ecx: 1788480250	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 06 ff 34 24 ff 34 24 8b 3c 24 57 exception.symbol: 1507039610+0x1d3e82 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1916546 exception.address: 0x10b3e82 registers.esp: 3407240 registers.edi: 0 registers.eax: 17542943 registers.ebp: 3891298324 registers.edx: 1027197264 registers.ebx: 17512331 registers.esi: 1179202795 registers.ecx: 315860338	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 50 83 ec 04 89 1c 24 e9 de fa ff ff 81 eb 00 exception.symbol: 1507039610+0x1d40ba exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1917114 exception.address: 0x10b40ba registers.esp: 3407240 registers.edi: 5695827 registers.eax: 17542943 registers.ebp: 3891298324 registers.edx: 1027197264 registers.ebx: 17512331 registers.esi: 4294940064 registers.ecx: 315860338	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 81 eb f6 e8 f3 37 52 ba 8c 50 0f 17 92 48 92 exception.symbol: 1507039610+0x1f4454 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2049108 exception.address: 0x10d4454 registers.esp: 3407204 registers.edi: 17640518 registers.eax: 30150 registers.ebp: 3891298324 registers.edx: 2130566132 registers.ebx: 17644348 registers.esi: 17640545 registers.ecx: 1078263808	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 83 ef 04 87 3c 24 exception.symbol: 1507039610+0x1f3e25 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2047525 exception.address: 0x10d3e25 registers.esp: 3407208 registers.edi: 17640518 registers.eax: 30150 registers.ebp: 3891298324 registers.edx: 2130566132 registers.ebx: 17674498 registers.esi: 17640545 registers.ecx: 1078263808	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 56 57 68 31 48 7f 73 5f 81 f7 17 b8 a0 4a 89 exception.symbol: 1507039610+0x1f4025 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2048037 exception.address: 0x10d4025 registers.esp: 3407208 registers.edi: 17640518 registers.eax: 1392536160 registers.ebp: 3891298324 registers.edx: 2130566132 registers.ebx: 17647914 registers.esi: 0 registers.ecx: 1078263808	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb e9 0d 00 00 00 f7 df 81 c7 d4 7f 9b a4 e9 d1 exception.symbol: 1507039610+0x1f5ccd exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2055373 exception.address: 0x10d5ccd registers.esp: 3407204 registers.edi: 17650191 registers.eax: 31733 registers.ebp: 3891298324 registers.edx: 1971434167 registers.ebx: 17629745 registers.esi: 17650686 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 c7 04 24 71 7e ea exception.symbol: 1507039610+0x1f5b87 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2055047 exception.address: 0x10d5b87 registers.esp: 3407208 registers.edi: 17650191 registers.eax: 31733 registers.ebp: 3891298324 registers.edx: 1971434167 registers.ebx: 627182184 registers.esi: 17682419 registers.ecx: 4294938048	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 6d 04 00 00 01 d3 5a 58 e9 b5 00 exception.symbol: 1507039610+0x1f66cd exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2057933 exception.address: 0x10d66cd registers.esp: 3407208 registers.edi: 17650191 registers.eax: 32636 registers.ebp: 3891298324 registers.edx: 235328256 registers.ebx: 17656684 registers.esi: 322689 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 68 6a bd 2d 57 89 2c 24 e9 28 fd ff ff 8b 24 exception.symbol: 1507039610+0x1f709a exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2060442 exception.address: 0x10d709a registers.esp: 3407208 registers.edi: 17650191 registers.eax: 31517 registers.ebp: 3891298324 registers.edx: 235328256 registers.ebx: 539642447 registers.esi: 17688583 registers.ecx: 381948013	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 bf 84 40 7f 2f c1 exception.symbol: 1507039610+0x1f721a exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2060826 exception.address: 0x10d721a registers.esp: 3407208 registers.edi: 0 registers.eax: 765161 registers.ebp: 3891298324 registers.edx: 235328256 registers.ebx: 539642447 registers.esi: 17659795 registers.ecx: 381948013	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 50 52 ba f1 97 7d 3f 89 d0 ff 34 24 5a 81 c4 exception.symbol: 1507039610+0x1ffcd9 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2096345 exception.address: 0x10dfcd9 registers.esp: 3407208 registers.edi: 17695791 registers.eax: 0 registers.ebp: 3891298324 registers.edx: 3 registers.ebx: 1976696832 registers.esi: 17659795 registers.ecx: 2298801283	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 81 c7 2b 04 fa 3d 52 ba 66 0b ce 7c 56 be 4a exception.symbol: 1507039610+0x208011 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2129937 exception.address: 0x10e8011 registers.esp: 3407204 registers.edi: 17726676 registers.eax: 31381 registers.ebp: 3891298324 registers.edx: 868 registers.ebx: 680 registers.esi: 17678535 registers.ecx: 869	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 68 b3 11 ae 4e 89 2c 24 57 e9 c7 06 00 00 01 exception.symbol: 1507039610+0x207f51 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2129745 exception.address: 0x10e7f51 registers.esp: 3407208 registers.edi: 17730169 registers.eax: 31381 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 24811 registers.esi: 17678535 registers.ecx: 869	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 52 e9 25 00 00 00 01 c7 81 c7 0d 9e 7b 7b e9 exception.symbol: 1507039610+0x20b6c2 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2143938 exception.address: 0x10eb6c2 registers.esp: 3407204 registers.edi: 17730169 registers.eax: 28493 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 90855499 registers.esi: 17678535 registers.ecx: 17740277	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb b8 1f 3d 7f 13 e9 89 f7 ff ff 05 5e e0 86 9e exception.symbol: 1507039610+0x20ba8d exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2144909 exception.address: 0x10eba8d registers.esp: 3407208 registers.edi: 4294941228 registers.eax: 28493 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 604801363 registers.esi: 17678535 registers.ecx: 17768770	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 55 68 b0 63 fe 7f 8b 2c 24 83 c4 04 e9 23 ff exception.symbol: 1507039610+0x20bede exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2146014 exception.address: 0x10ebede registers.esp: 3407204 registers.edi: 4294941228 registers.eax: 31947 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 17743163 registers.esi: 17678535 registers.ecx: 1866528053	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 68 8a 1c 00 00 ff 34 24 8b 0c 24 e9 9c fe ff exception.symbol: 1507039610+0x20c762 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2148194 exception.address: 0x10ec762 registers.esp: 3407208 registers.edi: 4294941228 registers.eax: 31947 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 17775110 registers.esi: 17678535 registers.ecx: 1866528053	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb e9 aa 00 00 00 5f 81 44 24 04 12 38 47 6a 01 exception.symbol: 1507039610+0x20be7d exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2145917 exception.address: 0x10ebe7d registers.esp: 3407208 registers.edi: 4294941228 registers.eax: 3946456811 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 17745886 registers.esi: 17678535 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 68 ec 56 82 69 89 34 24 e9 10 fd ff ff 81 f6 exception.symbol: 1507039610+0x21c6b1 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2213553 exception.address: 0x10fc6b1 registers.esp: 3407208 registers.edi: 10731500 registers.eax: 26019 registers.ebp: 3891298324 registers.edx: 17538010 registers.ebx: 17793221 registers.esi: 17836239 registers.ecx: 10731500	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 68 85 d8 7c 4d 89 3c 24 51 89 04 24 57 bf 63 exception.symbol: 1507039610+0x21ce8b exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2215563 exception.address: 0x10fce8b registers.esp: 3407208 registers.edi: 10731500 registers.eax: 26019 registers.ebp: 3891298324 registers.edx: 0 registers.ebx: 17793221 registers.esi: 17813563 registers.ecx: 606898513	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb e9 79 02 00 00 c1 e5 04 e9 5e 02 00 00 89 1c exception.symbol: 1507039610+0x229ee6 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2268902 exception.address: 0x1109ee6 registers.esp: 3407208 registers.edi: 4294944208 registers.eax: 25975 registers.ebp: 3891298324 registers.edx: 2130566132 registers.ebx: 17891772 registers.esi: 89674832 registers.ecx: 2148405883	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb e9 d8 01 00 00 81 cd b1 b7 6e 16 f7 dd e9 5e exception.symbol: 1507039610+0x22fff9 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2293753 exception.address: 0x110fff9 registers.esp: 3407208 registers.edi: 17870162 registers.eax: 32362 registers.ebp: 3891298324 registers.edx: 17893613 registers.ebx: 75583571 registers.esi: 89674832 registers.ecx: 0	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 87 04 exception.symbol: 1507039610+0x239791 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2332561 exception.address: 0x1119791 registers.esp: 3407208 registers.edi: 10731500 registers.eax: 25827 registers.ebp: 3891298324 registers.edx: 17538010 registers.ebx: 17954939 registers.esi: 10731500 registers.ecx: 10731500	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 52 89 2c 24 89 e5 81 c5 04 00 00 00 81 ed 04 exception.symbol: 1507039610+0x239f28 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2334504 exception.address: 0x1119f28 registers.esp: 3407208 registers.edi: 0 registers.eax: 25827 registers.ebp: 3891298324 registers.edx: 17538010 registers.ebx: 17932183 registers.esi: 10731500 registers.ecx: 4131136104	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 51 89 34 24 be 37 fe e7 5d e9 71 fd ff ff c1 exception.symbol: 1507039610+0x23e66f exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2352751 exception.address: 0x111e66f registers.esp: 3407208 registers.edi: 0 registers.eax: 17974713 registers.ebp: 3891298324 registers.edx: 879 registers.ebx: 2959623376 registers.esi: 4042287040 registers.ecx: 880	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb b8 d6 69 3b 10 56 89 14 24 e9 2e 02 00 00 53 exception.symbol: 1507039610+0x23e9a8 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2353576 exception.address: 0x111e9a8 registers.esp: 3407208 registers.edi: 0 registers.eax: 17951789 registers.ebp: 3891298324 registers.edx: 879 registers.ebx: 604292945 registers.esi: 4042287040 registers.ecx: 880	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 57 51 68 9b eb ff 0b 59 89 cf 8b 0c 24 83 c4 exception.symbol: 1507039610+0x24ec6f exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2419823 exception.address: 0x112ec6f registers.esp: 3407208 registers.edi: 10731500 registers.eax: 27844 registers.ebp: 3891298324 registers.edx: 2130566132 registers.ebx: 17953411 registers.esi: 2005598220 registers.ecx: 18043154	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb e9 78 fc ff ff 5d e9 6d 00 00 00 68 61 8d 44 exception.symbol: 1507039610+0x24ed17 exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2419991 exception.address: 0x112ed17 registers.esp: 3407208 registers.edi: 10731500 registers.eax: 27844 registers.ebp: 3891298324 registers.edx: 1448957013 registers.ebx: 0 registers.esi: 2005598220 registers.ecx: 18018438	1
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 83 ef 04 e9 44 fc exception.symbol: 1507039610+0x25836a exception.instruction: sti exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 2458474 exception.address: 0x113836a registers.esp: 3407204 registers.edi: 17709959 registers.eax: 18054020 registers.ebp: 3891298324 registers.edx: 395049983 registers.ebx: 133120 registers.esi: 17709958 registers.ecx: 3738837507	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/ip

Performs some HTTP requests (11 events)

request	GET http://ilonamaska.info/wp-content/uploads/2021/10
request	GET http://ilonamaska.info/function/v2tmp/useruploadetfilesun.php
request	GET http://ilonamaska.info/books/userpaths/birbik/harrypotter1.txt
request	GET http://ilonamaska.info/app/files/ap/id27315001.php
request	GET http://ilonamaska.info/books/userpaths/birbik/harrypotter111.txt
request	GET http://ilonamaska.info/app/files/ap/id273150012.php
request	GET http://ilonamaska.info/stat_os.php
request	GET http://ilonamaska.info/wp-content/uploads/2022/08
request	GET http://ilonamaska.info/function/v2tmp/path_int.php
request	GET https://api.ip.sb/ip
request	GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2396 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75161000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75760000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d22000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745d12d0 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74821000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001014 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75091000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754017d0 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75760000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75760070 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a60000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b319a8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d22000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d2224c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754b0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31394 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745d1188 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74821000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74821350 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750011c8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75091000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750910ec process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75161000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x751610e4 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7540180c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f035c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754b0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754b0270 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b313a8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d2124c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2023, 5:57 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b21198 process_handle: 0xffffffff		3221225477

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (7 events)

file	C:\ProgramData\AdobeVegas\QRBIZUJ.exe
file	C:\Users\test22\AppData\Local\Temp\990060708.exe
file	C:\Users\test22\AppData\Local\Temp\1177007440.exe
file	C:\Users\test22\AppData\Roaming\AUhCSHCCSCABSAcFaSBcESHbKBEEKUSKaaUCHCbsAhBhCFFFBAsHAUE.exe
file	C:\Users\test22\AppData\Local\Temp\1507039610.exe
file	C:\Users\test22\AppData\Local\Temp\tmpC65.tmp.bat
file	C:\Users\test22\AppData\Local\Temp\sawalow.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
cmdline	"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\sawalow.exe
file	C:\Users\test22\AppData\Local\Temp\990060708.exe
file	C:\Users\test22\AppData\Local\Temp\1507039610.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 19, 2023, 5:51 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit filepath: C:\Windows\System32\cmd.exe	1	1
CreateProcessInternalW May 19, 2023, 5:59 p.m.	thread_identifier: 2280 thread_handle: 0x0000000000000258 process_identifier: 2276 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000254	1	1
CreateProcessInternalW May 19, 2023, 5:59 p.m.	thread_identifier: 1520 thread_handle: 0x0000000000000258 process_identifier: 1340 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000260	1	1
CreateProcessInternalW May 19, 2023, 5:59 p.m.	thread_identifier: 2920 thread_handle: 0x0000000000000274 process_identifier: 2908 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmpC65.tmp.bat" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000278	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 19, 2023, 5:57 p.m.	flags: 1158 family: 0	1	0	0

An executable file was downloaded by the process compan.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile May 19, 2023, 5:50 p.m.	buffer: MZÿÿ¸@zº´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÐÅà0@H À@ `Hk²@m`Àøa ° @à.rsrcÀJÐ@À.idata `@À *@àbmxuqyze -@àpkzeruzc @H<@à request_handle: 0x0000000000cc000c	1	1
InternetReadFile May 19, 2023, 5:50 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $AN86/Ve/Ve/Ve}Ãe/Ve}Òe)/Ve}Õen/Ve"é-e/Ve/We/Ve}Üe/Ve}Âe/Ve}Çe/VeRich/VePELR<bà ¤NÏ£À@ðRª²§PQ R¼0E@Ü.text¢¤ `.data`ALÀ¨@À.rsrcQÄ@@.reloc¼O RPP@B request_handle: 0x0000000000cc000c	1	1
InternetReadFile May 19, 2023, 5:50 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $AN86/Ve/Ve/Ve}Ãe/Ve}Òe)/Ve}Õen/Ve"é-e/Ve/We/Ve}Üe/Ve}Âe/Ve}Çe/VeRich/VePELR<bà ¤NÏ£À@ðRª²§PQ R¼0E@Ü.text¢¤ `.data`ALÀ¨@À.rsrcQÄ@@.reloc¼O RPP@B request_handle: 0x0000000000cc000c	1	1
InternetReadFile May 19, 2023, 5:51 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $AN86/Ve/Ve/Ve}Ãe/Ve}Òe)/Ve}Õen/Ve"é-e/Ve/We/Ve}Üe/Ve}Âe/Ve}Çe/VeRich/VePELR<bà ¤NÏ£À@ðRª²§PQ R¼0E@Ü.text¢¤ `.data`ALÀ¨@À.rsrcQÄ@@.reloc¼O RPP@B request_handle: 0x0000000000cc000c	1	1
InternetReadFile May 19, 2023, 5:51 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $AN86/Ve/Ve/Ve}Ãe/Ve}Òe)/Ve}Õen/Ve"é-e/Ve/We/Ve}Üe/Ve}Âe/Ve}Çe/VeRich/VePELR<bà ¤NÏ£À@ðRª²§PQ R¼0E@Ü.text¢¤ `.data`ALÀ¨@À.rsrcQÄ@@.reloc¼O RPP@B request_handle: 0x0000000000cc000c	1	1
InternetReadFile May 19, 2023, 5:51 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL .]dà . @@ @P.K@Z` H.text¤ `.rsrcZ@@@.reloc`@B.HÌþýÙøïîáìãâáäçæåäøÿóÛüóòñð÷öõôÛÊÉÈÏÎÍÌÃÂÁÀÇÆÅÄÛÚÙØßÞÝÜÓÒÑÐ×ÖÕÔ«ª©¨¯®¬£¢¡ §¦¥¤º¹¸¿¾ÈÄ°¶»©¯ü¥¨±¥¾²¹¶á·½²©¹´ºá£Nhj@t\|nTFtFGpBh~mwx KhteDrf~@JIHONMLCBBPTVED@RAZ_YL_[]APWVUT+)(/?-,+!-' %$;1))?>=432107654 :0èêéèïîíìãâáäçæåäûúùøÿþøÚöÄñð÷ÐõôËÊÉÈÏÎÅÌÓÊÕÀÇÂÅÄÛÚÙØßÞÞÜÓÒÑÐ×ÖÕÔ«ª©¸¯®¬£¢¡ ¯¦¥¤»º¹¸¿¾½¼³²± ·¶µ´¤ °kjihonmlcba`gfed{zyx~}\|srqpwvutKJIHONMLCBA@GFED request_handle: 0x0000000000cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0001aa00', u'virtual_address': u'0x000fb000', u'entropy': 7.400841338641845, u'name': u'.rsrc', u'virtual_size': u'0x0001a964'}

entropy

7.40084133864

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 19, 2023, 5:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 19, 2023, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 19, 2023, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 19, 2023, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (40 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000710 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: 7-Zip base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: AddressBook base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: Adobe AIR base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: Connection Manager base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: EditPlus base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: Fontcore base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: Google Chrome base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: IE40 base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: IE4Data base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: IEData base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: WIC base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW May 19, 2023, 5:57 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000710 key_handle: 0x00000714 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit
cmdline	ping 0
cmdline	"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (35 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 19, 2023, 5:57 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 19, 2023, 5:57 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 19, 2023, 5:58 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 19, 2023, 5:58 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 19, 2023, 5:58 p.m.	class_name: pediy06 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Drops a binary and executes it (1 event)

file	C:\ProgramData\AdobeVegas\QRBIZUJ.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW May 19, 2023, 5:57 p.m.	key_handle: 0x00000714 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (5 events)

process	compan.exe	useragent	Installed OK 1.0/3
process	compan.exe	useragent	CustomInstaller 1.0/3
process	compan.exe	useragent	The Bigger Than Bigger Bim Bim Talk Told You Than i 348
process	compan.exe	useragent	Installed OK 5.0/1
process	compan.exe	useragent	Prepaid User 348920939423

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2040 resumed a thread in remote process 2992
Process injection	Process 2908 resumed a thread in remote process 3052
NtResumeThread May 19, 2023, 5:51 p.m.	thread_handle: 0x0000000000000558 suspend_count: 1 process_identifier: 2992	1	0	0
NtResumeThread May 19, 2023, 5:59 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 3052	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 19, 2023, 5:57 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 ba 0d 00 00 c7 04 24 exception.symbol: 1507039610+0x1b4fe7 exception.instruction: in eax, dx exception.module: 1507039610.exe exception.exception_code: 0xc0000096 exception.offset: 1789927 exception.address: 0x1094fe7 registers.esp: 3407240 registers.edi: 3550777 registers.eax: 1447909480 registers.ebp: 3891298324 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 17382884 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

MicroWorld-eScan	Trojan.GenericKD.67000300
FireEye	Generic.mg.55e23e1fe5c4051b
ALYac	Trojan.GenericKD.67000300
Cylance	unsafe
VIPRE	Trojan.GenericKD.67000300
Sangfor	Infostealer.Win32.Agent.V543
Alibaba	TrojanSpy:Win32/Stealer.8f92b492
Cybereason	malicious.7ca909
Cyren	W64/ABRisk.GBQF-6525
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Spy.Win32.Stealer.dxgz
BitDefender	Trojan.GenericKD.67000300
Avast	FileRepMalware [Pws]
Tencent	Win32.Trojan-Spy.Stealer.Kcnw
Emsisoft	Trojan.GenericKD.67000300 (B)
F-Secure	Heuristic.HEUR/AGEN.1319403
TrendMicro	Trojan.Win64.PRIVATELOADER.YXDESZ
McAfee-GW-Edition	BehavesLike.Win64.Dropper.th
Sophos	Mal/Generic-S
Webroot	W32.Trojan.GenKD
Avira	HEUR/AGEN.1319403
Gridinsoft	Trojan.Win64.Downloader.sa
Arcabit	Trojan.Generic.D3FE57EC
ZoneAlarm	Trojan-Spy.Win32.Stealer.dxgz
GData	Trojan.GenericKD.67000300
Google	Detected
McAfee	Artemis!55E23E1FE5C4
MAX	malware (ai score=85)
Malwarebytes	Backdoor.NetWiredRC.AutoIt.Generic
Panda	Trj/Agent.AY
TrendMicro-HouseCall	Trojan.Win64.PRIVATELOADER.YXDESZ
Rising	Trojan.Obfus/Autoit!1.C774 (CLASSIC)
Ikarus	Trojan.Win32.Obfuscated
Fortinet	AutoIt/Injector.DXO!tr
AVG	FileRepMalware [Pws]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

compan.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All