Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 20, 2024, 7:59 p.m.	July 20, 2024, 8:22 p.m.

Size	582.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`6298475c0e4860db7568c5b231e3cca9`
SHA256	`d9012cd07349eec687cb347232b55fa1cd308f89c433474bcfb63132cca908c9`
CRC32	`6EF1F11F`
ssdeep	`12288:sCn4AyHnrx5KuwBPjaUQtbwDGno9FeCyp0seDwE:/nEnrxKBP2p+DGnykTpheD`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

winiti.exe "C:\Users\test22\AppData\Local\Temp\winiti.exe"
2544
- powershell.exe "powershell.exe" -windowstyle hidden "$Fjolle=Get-Content 'C:\Users\test22\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Mechanicals\jordbrugsdrifternes.Inv';$Virksomhedsejers=$Fjolle.SubString(69323,3);.$Virksomhedsejers($Fjolle)"
  2656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 7:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0

Command line console output was observed (41 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: At line:1 char:68 console_handle: 0x0000002f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + $global:Kammers = ($Irreticent37 \| Where-Object { $_.Location.Split <<<< ($Ou console_handle: 0x0000003b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: trageproof)[-1].Equals($Apocrustic) }).GetType($Forbrndtes) console_handle: 0x00000047	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (Split:String) [], RuntimeExce console_handle: 0x00000053	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: ption console_handle: 0x0000005f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000006b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: Cannot convert argument "0", with value: "", for "Invoke" to type "System.IntPt console_handle: 0x00000023	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: r": "Cannot convert null to type "System.IntPtr"." console_handle: 0x0000002f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: At line:1 char:24 console_handle: 0x0000003b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + $Radiumstationer.Invoke <<<< ($Zeuzeridae, 0) console_handle: 0x00000047	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodException console_handle: 0x00000053	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument console_handle: 0x0000005f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: At line:1 char:68 console_handle: 0x0000002f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + $global:Kammers = ($Irreticent37 \| Where-Object { $_.Location.Split <<<< ($Ou console_handle: 0x0000003b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: trageproof)[-1].Equals($Apocrustic) }).GetType($Forbrndtes) console_handle: 0x00000047	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (Split:String) [], RuntimeExce console_handle: 0x00000053	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: ption console_handle: 0x0000005f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000006b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000008b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: At line:1 char:68 console_handle: 0x00000097	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + $global:Kammers = ($Irreticent37 \| Where-Object { $_.Location.Split <<<< ($Ou console_handle: 0x000000a3	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: trageproof)[-1].Equals($Apocrustic) }).GetType($Forbrndtes) console_handle: 0x000000af	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (Split:String) [], RuntimeExce console_handle: 0x000000bb	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: ption console_handle: 0x000000c7	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000d3	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: At line:1 char:68 console_handle: 0x0000002f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + $global:Kammers = ($Irreticent37 \| Where-Object { $_.Location.Split <<<< ($Ou console_handle: 0x0000003b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: trageproof)[-1].Equals($Apocrustic) }).GetType($Forbrndtes) console_handle: 0x00000047	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (Split:String) [], RuntimeExce console_handle: 0x00000053	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: ption console_handle: 0x0000005f	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000006b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000008b	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: At line:1 char:68 console_handle: 0x00000097	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + $global:Kammers = ($Irreticent37 \| Where-Object { $_.Location.Split <<<< ($Ou console_handle: 0x000000a3	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: trageproof)[-1].Equals($Apocrustic) }).GetType($Forbrndtes) console_handle: 0x000000af	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (Split:String) [], RuntimeExce console_handle: 0x000000bb	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: ption console_handle: 0x000000c7	1	1
WriteConsoleW July 20, 2024, 7:59 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000d3	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 51 events)

Time & API	Arguments	Status	Return
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb978 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fc278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fc278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fc278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fc278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fc278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fc278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbdf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbdf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbdf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fba38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbf38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbaf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fbaf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a90f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a90f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a90f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a90f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2024, 7:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a90f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 20, 2024, 7:59 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (50 out of 57000 events)

Time & API	Arguments	Status
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 76 22 9c 2f 22 2e f8 ae f3 1c c7 a5 f3 e5 36 78 exception.instruction: jbe 0x88ea04f exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x88ea02b registers.esp: 101180544 registers.edi: 101180540 registers.eax: 3449672 registers.ebp: 101180552 registers.edx: 143560704 registers.ebx: 256 registers.esi: 1995838602 registers.ecx: 143564739	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc be 56 97 02 fe 98 4d 13 32 22 2a 7e f2 de cf exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea06a registers.esp: 101180552 registers.edi: 143564167 registers.eax: 1968898048 registers.ebp: 101180552 registers.edx: 3519263811 registers.ebx: 2829680 registers.esi: 2829704 registers.ecx: 16	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 00 13 17 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lldt word ptr [ebx] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x88ea090 registers.esp: 101180552 registers.edi: 143564167 registers.eax: 1968898048 registers.ebp: 101180552 registers.edx: 3519263811 registers.ebx: 2829680 registers.esi: 2829704 registers.ecx: 16	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f c7 37 3e 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: vmptrld qword ptr [edi] exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x88ea0ba registers.esp: 101180552 registers.edi: 143564167 registers.eax: 1968898048 registers.ebp: 101180552 registers.edx: 3519263811 registers.ebx: 2829680 registers.esi: 2829704 registers.ecx: 16	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: GetStartupInfoA-0x10e00 kernel32+0x0 @ 0x755b0000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 73 03 d0 c1 13 4b c5 d8 84 05 0a e6 ba c0 c3 da exception.instruction: jae 0x88ea117 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x88ea112 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 256 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 2190696765 registers.esi: 2829704 registers.ecx: 101180540	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: GetStartupInfoA-0x10e00 kernel32+0x0 @ 0x755b0000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 26 f3 64 b4 d6 b6 7d f4 08 e1 02 01 b5 d4 17 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea146 registers.esp: 101180548 registers.edi: 143564167 registers.eax: 1969084418 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 2190696765 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: GetStartupInfoA-0x10e00 kernel32+0x0 @ 0x755b0000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 78 18 b8 48 51 aa 8f 2a 45 2c 1c 3f b1 b0 8d ff exception.instruction: js 0x88ea1b3 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x88ea199 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 1969084418 registers.ebp: 101180552 registers.edx: 101180536 registers.ebx: 256 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: GetStartupInfoA-0x10e00 kernel32+0x0 @ 0x755b0000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 10 23 e6 b2 72 e1 6d a7 09 2d e0 c1 b2 a8 f3 exception.instruction: mov dword ptr [eax], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x88ea1f0 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 1148 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 2190696765 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: GetStartupInfoA-0x10e00 kernel32+0x0 @ 0x755b0000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 75 0c 8c d9 30 07 6b 02 96 57 fb c7 a3 d4 49 c6 exception.instruction: jne 0x88ea24f exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x88ea241 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 1969084418 registers.ebp: 101180552 registers.edx: 256 registers.ebx: 2190696765 registers.esi: 2829704 registers.ecx: 101180536	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 3a 96 53 49 68 06 f0 6d 9b 52 71 f6 36 ab 91 exception.instruction: mov dword ptr [edx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x88ea299 registers.esp: 101180548 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 65071 registers.ebx: 2190696765 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 47 c2 bf df 10 12 5f 8d 21 00 ed 95 29 0d 43 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea2ca registers.esp: 101180552 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 2190696765 registers.esi: 2829704 registers.ecx: 101189632	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 18 a1 28 96 74 c7 6e b1 3f 81 1c 34 e7 f1 da exception.instruction: mov dword ptr [eax], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x891382e registers.esp: 101180540 registers.edi: 143564167 registers.eax: 23226 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189632 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 16 0f 2c f3 32 e8 8a a4 a2 f7 f7 d4 38 25 7d exception.instruction: mov dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913890 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189632 registers.esi: 52220 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 30 14 6c f9 49 4d 01 51 4c 01 b8 0d af 1e 72 exception.instruction: mov dword ptr [eax], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x89138c4 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 29647 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189632 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 01 13 8a 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lgdt ptr [ebx] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x891390f registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189632 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 01 13 8a 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lgdt ptr [ebx] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x891390f registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189633 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 01 13 8a 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lgdt ptr [ebx] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x891390f registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189634 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 3e d3 c7 e4 d0 15 c3 2a 11 d1 8e 86 6f d9 6b exception.instruction: mov dword ptr [esi], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913967 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189636 registers.esi: 41749 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 01 1f 83 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lidt ptr [edi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913998 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189636 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 29 32 31 86 8b cf 26 3d 9c 22 4a fb ee 4b af exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x89139c7 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189636 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 1a b2 3c 67 7e 95 e1 38 38 e5 81 2b 0e 46 6c exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x89139f4 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189636 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 70 04 02 99 a3 8f db 1b 7e 1b a7 62 43 17 2a 4c exception.instruction: jo 0x8913a51 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8913a4b registers.esp: 101180536 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 256 registers.ebx: 101180532 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc d7 3f ef 42 85 b1 c6 59 6a fb ea b8 e0 af f1 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8913a96 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189640 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 7d 16 d3 36 19 9a d0 66 f8 55 d2 2a 05 0f 73 b6 exception.instruction: jge 0x8913af4 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8913adc registers.esp: 101180536 registers.edi: 101180532 registers.eax: 256 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189640 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 01 1e 62 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lidt ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913b13 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189640 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 32 08 68 b3 f9 41 75 01 49 d0 f7 47 69 d2 b6 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8913b48 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189640 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 74 26 6d 93 27 b6 25 07 6d eb f9 c4 42 9f 53 55 exception.instruction: je 0x8913bca exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8913ba2 registers.esp: 101180536 registers.edi: 2413377527 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 256 registers.ebx: 101189640 registers.esi: 2829704 registers.ecx: 101180532	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 0b 3f c8 bd d1 db 2a a0 5c 97 39 f9 b5 3e 22 exception.instruction: mov dword ptr [ebx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913bfc registers.esp: 101180540 registers.edi: 2413377527 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 13095 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 77 15 52 6d 74 a0 ec fa a0 85 66 16 4d 6a d2 bd exception.instruction: ja 0x8913c6f exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8913c58 registers.esp: 101180536 registers.edi: 503002343 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 256 registers.ebx: 101180532 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 34 a0 03 d2 4a 2a 97 57 cb 20 35 9b 16 55 ba exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8913c9b registers.esp: 101180544 registers.edi: 4 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189640 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 85 0e d2 05 0f 5e 78 d1 68 a6 c2 06 6c 71 8c exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8913cc7 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189644 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 0e 7c 3a a2 80 71 15 5d 94 11 e1 25 f4 1d 32 exception.instruction: mov dword ptr [esi], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913d06 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189644 registers.esi: 52427 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 01 e1 e0 de 7a b4 c6 16 f6 26 a8 5c f1 3c d4 exception.instruction: mov dword ptr [ecx], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913d52 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189644 registers.esi: 2829704 registers.ecx: 1317	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 73 51 38 a9 40 e0 be 4e e1 04 56 8e a6 f8 84 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8913d80 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189644 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 78 22 bc e5 5a 8a a2 42 d3 e0 3e c9 04 f7 85 20 exception.instruction: js 0x8913ded exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8913dc9 registers.esp: 101180536 registers.edi: 256 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 101180532 registers.ebx: 101189644 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 36 6a 36 f5 78 5f a1 78 91 54 fa c4 3d c2 7e exception.instruction: mov dword ptr [esi], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8913e50 registers.esp: 101180540 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 2979460219 registers.ebx: 101189644 registers.esi: 22916 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 7e 0b 4c de bd e4 59 77 2d 22 b2 03 69 e5 c2 87 exception.instruction: jle 0x8913eb8 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8913eab registers.esp: 101180536 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 4 registers.ebx: 256 registers.esi: 2829704 registers.ecx: 101180532	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 01 30 c7 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lmsw word ptr [eax] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x8913eeb registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189648 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc d1 4b 73 41 35 3f cc 79 00 35 14 8c 79 67 99 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea309 registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189648 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 00 db 92 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: ltr bx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x88ea33c registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189648 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 4f a6 45 3b 54 cd 34 f5 fc a1 e8 c5 74 d6 37 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea36f registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189648 registers.esi: 2829704 registers.ecx: 1216	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 77 d1 f5 cf 20 5a cb 6c d5 79 cf 26 c1 7c 64 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea3b7 registers.esp: 101180552 registers.edi: 143564167 registers.eax: 101189632 registers.ebp: 101180552 registers.edx: 1969720771 registers.ebx: 101189648 registers.esi: 2829704 registers.ecx: 101189636	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: gapfnScSendMessage-0x15fc8 user32+0x0 @ 0x75840000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 89 1a 99 b0 6c 80 86 90 92 b3 65 c6 99 00 ee 8c exception.instruction: mov dword ptr [edx], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x88ea3fc registers.esp: 101180548 registers.edi: 143564167 registers.eax: 1972043038 registers.ebp: 101180552 registers.edx: 7960 registers.ebx: 2129430849 registers.esi: 2829704 registers.ecx: 526	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: gapfnScSendMessage-0x15fc8 user32+0x0 @ 0x75840000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 7f 1d ac 00 44 dd 0c e8 18 65 23 01 89 85 0a exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea426 registers.esp: 101180552 registers.edi: 143564167 registers.eax: 1972043038 registers.ebp: 101180552 registers.edx: 1971669752 registers.ebx: 2129430849 registers.esi: 2829704 registers.ecx: 526	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: gapfnScSendMessage-0x15fc8 user32+0x0 @ 0x75840000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 74 16 20 1d c3 b3 28 93 f1 01 26 89 b4 12 6a 83 exception.instruction: je 0x88ea486 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x88ea46e registers.esp: 101180544 registers.edi: 143564167 registers.eax: 101180540 registers.ebp: 101180552 registers.edx: 256 registers.ebx: 2129430849 registers.esi: 2829704 registers.ecx: 526	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: gapfnScSendMessage-0x15fc8 user32+0x0 @ 0x75840000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 01 c3 72 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: vmresume exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x88ea4ac registers.esp: 101180552 registers.edi: 143564167 registers.eax: 1972043038 registers.ebp: 101180552 registers.edx: 1971669752 registers.ebx: 1841564139 registers.esi: 2829704 registers.ecx: 526	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: gapfnScSendMessage-0x15fc8 user32+0x0 @ 0x75840000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc 40 cc 60 a9 5e e6 d2 22 39 b7 a1 93 83 80 aa exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea4db registers.esp: 101180552 registers.edi: 143564167 registers.eax: 1972043038 registers.ebp: 101180552 registers.edx: 1971669752 registers.ebx: 3248273379 registers.esi: 2829704 registers.ecx: 526	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: gapfnScSendMessage-0x15fc8 user32+0x0 @ 0x75840000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 71 0b 2d b1 4d 77 cf 75 7c 22 e8 d1 84 d5 da 35 exception.instruction: jno 0x88ea549 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x88ea53c registers.esp: 101180544 registers.edi: 143564167 registers.eax: 1972043038 registers.ebp: 101180552 registers.edx: 1971669752 registers.ebx: 12288 registers.esi: 256 registers.ecx: 101180540	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: cc dd 4a 33 85 12 39 f5 35 82 e1 86 69 9a e3 16 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x88ea588 registers.esp: 101180552 registers.edi: 143564167 registers.eax: 101255168 registers.ebp: 101180552 registers.edx: 1971669752 registers.ebx: 2129430849 registers.esi: 2829704 registers.ecx: 526	1
__exception__ July 20, 2024, 8 p.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x76f10000 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa exception.instruction_r: 0f 09 0f 2f 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: wbinvd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x88ea5b4 registers.esp: 101180552 registers.edi: 143564167 registers.eax: 101255168 registers.ebp: 101180552 registers.edx: 2357691316 registers.ebx: 2129430849 registers.esi: 2829704 registers.ecx: 1995838584	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 182 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02961000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02963000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02964000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02965000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02966000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02967000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02968000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02969000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsuEE77.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsuEE77.tmp\BgImage.dll
file	C:\Users\test22\AppData\Local\Temp\nsuEE77.tmp\nsExec.dll

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Mechanicals\Undladelsessynderne\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Windows\resources\sammentrkket\fatherlike.lnk

Creates a suspicious process (1 event)

cmdline

"powershell.exe" -windowstyle hidden "$Fjolle=Get-Content 'C:\Users\test22\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Mechanicals\jordbrugsdrifternes.Inv';$Virksomhedsejers=$Fjolle.SubString(69323,3);.$Virksomhedsejers($Fjolle)"

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsuEE77.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsuEE77.tmp\BgImage.dll
file	C:\Users\test22\AppData\Local\Temp\nsuEE77.tmp\nsExec.dll

Executes one or more WMI queries (1 event)

wmi	select * from Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 20, 2024, 7:59 p.m.	thread_identifier: 2660 thread_handle: 0x0000025c process_identifier: 2656 current_directory: filepath: track: 1 command_line: "powershell.exe" -windowstyle hidden "$Fjolle=Get-Content 'C:\Users\test22\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Mechanicals\jordbrugsdrifternes.Inv';$Virksomhedsejers=$Fjolle.SubString(69323,3);.$Virksomhedsejers($Fjolle)" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000258	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 20, 2024, 7:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 20, 2024, 7:59 p.m.	status_code: 0xffffffff process_identifier: 2544 process_handle: 0x000003e4		0	0
NtTerminateProcess July 20, 2024, 7:59 p.m.	status_code: 0xffffffff process_identifier: 2544 process_handle: 0x000003e4	1	0	0

Creates a suspicious Powershell process (1 event)

option

-windowstyle hidden

value

Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Makoob.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.hc
ALYac	Gen:Variant.Nemesis.32042
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73598442
Sangfor	Trojan.Win32.Makoob.V617
K7AntiVirus	Trojan ( 005b80091 )
BitDefender	Trojan.Generic.36581224
K7GW	Trojan ( 005b80091 )
Cybereason	malicious.c0e486
Arcabit	Trojan.Nemesis.D7D2A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
McAfee	Artemis!6298475C0E48
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Makoob.gen
Alibaba	Trojan:Win32/Makoob.66c42d8e
MicroWorld-eScan	Trojan.Generic.36581224
Rising	Trojan.Agent/PS!8.1331B (TOPIS:E0:veGkLztBtrN)
Emsisoft	Trojan.GenericKD.73598442 (B)
F-Secure	Heuristic.HEUR/AGEN.1373277
TrendMicro	Trojan.Win32.GULOADER.YXEGSZ
McAfeeD	ti!D9012CD07349
FireEye	Trojan.Generic.36581224
Sophos	Mal/Generic-S
Ikarus	Trojan.NSIS.Injector
Webroot	W32.Malware.Gen
Google	Detected
Avira	HEUR/AGEN.1373277
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.Makoob.gen
Kingsoft	Win32.Trojan.Makoob.gen
Gridinsoft	Trojan.Win32.Downloader.sa
Xcitium	Malware@#2m8rl4zevg3cd
Microsoft	Trojan:Win32/GuLoader.KFDL
ZoneAlarm	HEUR:Trojan.Win32.Makoob.gen
GData	Trojan.Generic.36581224
Varist	W32/Agent.JDG.gen!Eldorado
AhnLab-V3	Downloader/Win.GuLoader.C5651621
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Injector.NSIS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.GULOADER.YXEGSZ
Tencent	Win32.Trojan.Makoob.Zimw
Fortinet	NSIS/Injector.P582!tr
AVG	Win32:Evo-gen [Trj]

winiti.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All