popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

systems.exe

RedLine Infostealer Generic Malware UltraVNC UPX Malicious Library Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential P2P
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 5, 2024, 10:36 a.m. Aug. 5, 2024, 10:45 a.m.
Size 471.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 454a942056f6d69c4a06ffedffea974a
SHA256 2b9de0299a80e370e454b8512ee65abf2eac12ab3fe681201c25745978b199ed
CRC32 A436874E
ssdeep 12288:Fh1Lk70TnvjcwkhK/wO+FkH6GQx0Xs8eqUVd:Rk70TrcwkMY9xfJ3
PDB Path
Yara
  • Malicious_Library_Zero - Malicious_Library
  • MALWARE_Win_VT_RedLine - Detects RedLine infostealer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • UltraVNC_Zero - UltraVNC
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
access.samp-global.com
A 91.217.76.162
91.217.76.162
api.telegram.org
A 149.154.167.220
149.154.167.220
IP Address Status Action
149.154.167.220 Active Moloch
164.124.101.2 Active Moloch
91.217.76.162 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49177 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 192.168.56.101:49177 -> 149.154.167.220:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49177 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2033966 ET HUNTING Telegram API Domain in DNS Lookup Misc activity
TCP 192.168.56.101:49167 -> 91.217.76.162:56006 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 91.217.76.162:56006 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 91.217.76.162:56006 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
TCP 91.217.76.162:56006 -> 192.168.56.101:49167 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 91.217.76.162:56006 -> 192.168.56.101:49167 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 91.217.76.162:56006 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 91.217.76.162:56006 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 91.217.76.162:56006 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
TCP 149.154.167.220:443 -> 192.168.56.101:49178 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 192.168.56.101:49176 -> 149.154.167.220:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49176 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 91.217.76.162:56006 -> 192.168.56.101:49164 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 91.217.76.162:56006 -> 192.168.56.101:49164 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 91.217.76.162:56006 -> 192.168.56.101:49164 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected
TCP 192.168.56.101:49176 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 192.168.56.101:49177 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49164
91.217.76.162:56006 		CN=Vhhapuzwu CN=Vhhapuzwu f8:24:08:fd:df:c8:96:5d:47:e5:8f:24:25:9d:00:87:02:87:70:cd

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name:
0 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Remove-ItemProperty : Property systems does not exist at path HKEY_CURRENT_USER
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:20
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + Remove-ItemProperty <<<< -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVers
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ion\Run' -Name 'systems';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windo
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: ws\CurrentVersion\Run' -Name 'systems' -Value 'C:\Users\test22\AppData\Roaming\
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: systems.exe' -PropertyType 'String'
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidArgument: (systems:String) [Remove-ItemPr
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: operty], PSArgumentException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : System.Management.Automation.PSArgumentException
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: ,Microsoft.PowerShell.Commands.RemoveItemPropertyCommand
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M
console_handle: 0x000000b7
1 1 0

WriteConsoleW

 buffer: icrosoft\Windows\CurrentVersion\Run
console_handle: 0x000000bb
1 1 0

WriteConsoleW

 buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: icrosoft\Windows\CurrentVersion
console_handle: 0x000000c3
1 1 0

WriteConsoleW

 buffer: PSChildName : Run
console_handle: 0x000000c7
1 1 0

WriteConsoleW

 buffer: PSDrive : HKCU
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: PSProvider : Microsoft.PowerShell.Core\Registry
console_handle: 0x000000cf
1 1 0

WriteConsoleW

 buffer: systems : C:\Users\test22\AppData\Roaming\systems.exe
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Active code page: 65001
console_handle: 0x00000013
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c29b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c2e28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c53d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c53d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c5350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c5350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c5350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ‹õ̀#X¦~j&zɪz׃-ý$$^ g/GÀ
crypto_handle: 0x005c5350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00414030
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00414030
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00414030
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00414030
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00414030
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00414030
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413af0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413af0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413af0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004143b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004144f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00413c30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004148b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004148b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004148b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004148b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52
exception.symbol: systems+0xf088
exception.instruction: stosb byte ptr es:[edi], al
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61576
exception.address: 0x40f088
registers.esp: 1636996
registers.edi: 4350244
registers.eax: 0
registers.ebp: 1637012
registers.edx: 0
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 12
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4353968
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2637
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4358064
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2605
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4362160
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2573
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4366256
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2541
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4370352
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2509
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4374448
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2477
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4378544
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2445
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4382640
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2413
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4386736
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2381
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4390832
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2349
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4394928
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2317
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4399024
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2285
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4403120
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2253
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4407216
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2221
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4411312
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2189
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4415408
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2157
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4419504
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2125
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4423600
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2093
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4427696
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2061
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4431792
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 2029
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4435888
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1997
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4439984
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1965
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4444080
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1933
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4448176
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1901
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4452272
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1869
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4456368
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1837
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4460464
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1805
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4464560
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1773
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4468656
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1741
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4472752
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1709
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4476848
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1677
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4480944
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1645
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4485040
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1613
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4489136
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1581
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4493232
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1549
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4497328
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1517
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4501424
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1485
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4505520
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1453
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4509616
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1421
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4513712
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1389
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4517808
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1357
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4521904
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1325
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4526000
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1293
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4530096
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1261
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4534192
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1229
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4538288
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1197
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4542384
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1165
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4546480
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1133
1 0 0

__exception__

 stacktrace: 
systems+0xf054 @ 0x40f054
systems+0xf0a0 @ 0x40f0a0
systems+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: systems+0xefff
exception.address: 0x40efff
exception.module: systems.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4550576
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 79
registers.ebx: 0
registers.esi: 31653960
registers.ecx: 1101
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ff0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02120000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02160000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02290000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02160000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02250000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02291000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02292000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02293000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02294000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e1b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02240000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e15000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02241000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02248000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e06000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e0a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e07000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02249000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0224a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0224d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0224e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0224f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05320000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05321000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058ef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05323000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05324000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05325000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05326000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004fe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05327000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05328000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\uiw3yDSfdjCt.bat
file C:\Users\test22\AppData\Roaming\systems.exe
file C:\Users\test22\AppData\Local\Temp\cli.exe
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Local\MyHiddenFolder
filepath: C:\Users\test22\AppData\Local\MyHiddenFolder
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Local\MyHiddenFolder\cli.exe
filepath: C:\Users\test22\AppData\Local\MyHiddenFolder\cli.exe
1 1 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'systems';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'systems' -Value '"C:\Users\test22\AppData\Roaming\systems.exe"' -PropertyType 'String'
file C:\Users\test22\AppData\Local\Temp\uiw3yDSfdjCt.bat
file C:\Users\test22\AppData\Roaming\systems.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2752
thread_handle: 0x00000364
process_identifier: 2748
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'systems';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'systems' -Value '"C:\Users\test22\AppData\Roaming\systems.exe"' -PropertyType 'String'
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000368
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\uiw3yDSfdjCt.bat
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\uiw3yDSfdjCt.bat
1 1 0
section {u'size_of_data': u'0x00053c00', u'virtual_address': u'0x00026000', u'entropy': 7.998812356746651, u'name': u'.rsrc', u'virtual_size': u'0x00053b60'} entropy 7.99881235675 description A section with a high entropy has been found
entropy 0.712765957447 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over HTTP rule Network_HTTP
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
cmdline chcp 65001
cmdline ping -n 5 localhost
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2916
region_size: 516096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description systems.exe tried to sleep 507438615 seconds, actually delayed analysis time by 507438615 seconds
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\systems reg_value C:\Users\test22\AppData\Roaming\systems.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\My Program reg_value C:\Users\test22\AppData\Local\MyHiddenFolder\cli.exe
file C:\Users\test22\AppData\Roaming\Electrum\wallets
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000684
regkey_r: 99e8fc6039c46038354c0c5449777555
reg_type: 3 (REG_BINARY)
value: @Œ–¯ü†ÿÉÿțãÉÀðàBÿùƟü!øݘË©ý8wb§®ÿÕÚÿ1_ùú"÷§ÿç(€\Ú³ÆW½oñÌöÕ¯n/âÃý>Üßîwêv՗œþmÔ `§oîûkŸã¸Àµ›öÖ´+¿ŸÙ¿@²ÎÅ*ïßþŒ0ž¯ùÝ@Fm¸=ßú° š€ŒOýbä kÞþ8RýÀè6}ý0þ82y±\ À€7. N@ ˜`聼« þ áûèÀ·€Äùïææ…ßÜÁ­Xߓÿ³äÿÝWòÌ ï —€lbý?Ü»ø` ‹ÏúaƒûÒDßìÀ-@Ží(c¿ à5&þÔg3€~€Z5èK³û'ãû° `ÓÀ5€ `GÕ þÄUÿ@%~üâ¿ÁgßÉ!ð|[û?ioõÀŽ—P<€'À)+€”Š8ð@£€ØÀHx°púÞ‘oûý1ˆýÿjÿ~b8/üŸüïô,@‚G·ýml`Âbhçddã`ÂÀÎZÚÌQÎÔY÷ÿôVÿ‰¯lyûûƒPЦß}ׂJnh†<†•ªnj†w‚8&÷wöG‰<VGä2D&š ˜‰ƒDµßڗ;%oì ¼+* +#k‰6±-¹©’˜IHnіŽîãâ܊¥ãÿ`è¿è3_ÈêÿÁŽBgâh¦ÛÚx¯Ùï”|å QsòAEÐÞè÷6ìJ|ŸÁAºSïç7ޱ🄓mM^—Äœîr¤ÒbÑwԛê1>Šµ"<¯½•ôÝ¥ÙÉîp0‚Yó¦`£ÜÊ'ªWπÇgGþÎí¦_F]bt £¨ìU÷kžË Ä”!ÎÿÝéû„Z&–B,ÎÔ eüÿ!ô»pâK]æîa7³Šaõ¶7¿³<ô8»—¿ê.Œ¯8̋¨tØ6QG¥¨¥Ô/T'xNHe Ýú(õ{HtJ³‰A' ÐXï~Õ¬‹¾¨³óL]x–I*`“D~„ ÒÝy#Ww·“ج¾Ô, Ü¢§MÇ0ûxL²WÌ÷êóv¯—©òB[H¶+¶+á[škÏù¾þ‡ÿ†v‚â‘/à3dšÏ „±wTmEí!•-—e©jA”…7´4¨¸{ʞZòۃãòŠî2£HPõKG#ë[`,ˆƒÒŒÌ¤Þ#Ð~ëj?H£Å žøj —ÊåZ˜¡eÕ'Û6šèVuûGÍÌ}Ç|¦ÃØ\mçd?Cy)Ÿ53•± ƒÖÄ.ÅpŸëØëÎ'׌’˜H!§Zà¯VeѯCU\ZÜfwôº©wÌEÚº’µ™æ—*d=jË) ð*ˆÖáf}âìlºªdj#žÇâÛû—c3b—ê6TÄ¢Îݐô|DÍØ v£"j½=4o÷(廒!±r'´<ÆQmZšÚ%Ë@«|ôÑ"lÄëô™Ê]ZÐYÁضlî2¯è!×.sN1!ì#¬'+uÏ™cûg„•`½ ¾GHYk6Že])ØÏ? Šž‘ÄjêBãFԆf={|'Ù3Y28xºµêÚO@œúŸœ#šèèÑ=ã3ÅàvsÑíè‚çp/¿êQª“¡ ÃQ¶2Xï7â¶Ã¨Xk¡i%sm;»Áw"iu£‰{¾&1}ÙÛ=.*[ ‘}j³ 6©iy)¨¥ ³Ùo›ÕÅ:ïðNÝá´!D òœçå:Ѿ P7‡Úœ5q~é>¨Ñ*Ë©Ñy"%´„îæI»ëÐ ÕÚ{”ü‹Ë|M§YÃì©Ë#·h‹ÈAã&þߛÛ¼)á§rþö&)jä”AŸµ7Ý[T¡)ºiBœÌê7´åðö9w¿^øż?&¶˜Eš36ÅÇ`O§x=¯CB´í©×¾ ×bó]Ý,-ãkTw´øþ Þ*éгÓqí=ý¥ð ©‹é“]Ø åßGÁçâþðž+š—´&/ˆ`ԇw]%Ù‡Žž…2ŽUވB§>]V±]6B£Šbõpø$‰ z”›9´iqÓ«šX˜í<P¾dÐʎ«ÞT]0’o¡R¥¦ˆgi«óJy„^^ [‡N­ÚÒ³bH¹…:ËÌqmÒ¾ô|Ïf< `> ™uU-ÑJ\bñ è«ÆG µÖD¢Z;·KÛþÛâùòXT÷; Scbç!ñÁÑ[L[}õ0ƒáßâ²6a8½7ƒæ.Ýb#QïîÖøfU7LvÏãX½íÏ©?ØÝA—ØØüö ªÝ$¢7:°²æÙlG–H`ŸUìZ.1s¤C~¿ºÜÜ.ì°/|ø¾qg#£Yޑ;KhL…ªè"89Ú¸zfeo’ªtF‡YÑQt`{;ÂèL†ÇÏZ„¸‰ÓšÖ&D¥p °ÇGøšÀÍö‘xXKi²‹C ܓ ?¢i _©µÝHŠohÊôêa4ãGÕ\½ˆ=.ÀÆ°FÚØö·þ”€2éÆc™HŒ†º,j>¢gWðåÞ÷8 §Á°È‡“*qÃw0úmKxÞÌI˜bYèŽ(覠A’&üœîGºôØ¢dÕ:ZΣïÞ•˜¡hn²o›æ9DžÙx™8~¢v}ŸÁ`³€¤Dі¾yÂÄTûTQwØ+Z!dØq¿ZE‘uÌj·.íž?걗ìÎBB¡Ý$ày+ãª\ècÁK ÝôÂÌÝ*ôª–>YJA¥ãD"£UžÓÄ_¸+1>žiwhNP!˜Øz:ó“a ‹ îÙ»š…¨"¿”ÊžyŠš è.+£T OvlXgþg>m³~yw˶[GD±KèA*S¥b zæ ÄX3% dìüx¢:ì(ÿÇ Ã«‡X|©¥‚ÕêÚ¤$é?÷B, O0í>ªs¦e^®s˕±»,%³mDõ`L£uÅ&I,òIdhôo])Ix/ÂGÅÙ!°íús§,ȵÉÜQHÉqÍ3øþUâÅf6§ìUìüÁ•øwÅ">T‰ª`,àë‘*|-¸¯À¿’Ô®éËçy€,‚¦ñg3ÌÜC÷Ê­ðFÊêÓÁþ„î-NœèÛ©ãú-\_„,¤å U¡ë_‹@™“ao|úޞ$óšv—JEþЈ܄O°ûâåÍþNLøÒ, |,€]n;OXªìM Íx‘¬Óñ®Xøt9_! ˜q)Ã(/ő£ ºáÇ piCUFî~¶£!žUÖ¬Ÿ°Ë’È?ÍzMø¦ù+KJ%½nÜhëìiun¶ÓñÜlŒüÁh’7¶ñøö€V‹d$ÄÂìÞÆv’`%a™èe¼•KÍÏ1„éÑ Ê* H“°õ¥»$Kñlât”fñõ‘w47Fh~ñ…¡­‘þS”Ö10p8¾Ûº˜Mw3é›ö’•š¤à4F ?±$XìЅ=bèégÓdeSW6¨š8]@AÏL’ÕN˜°lÇcßÂC†vß²Ã%/êÛIUċQ;©±Ê»¿~U0»'1þâ’däŽpe¢ «Ô~E@ðd=4¤·°Ž¦'%6£¦xwrÖtÅ ÃÌ㟁äl­IlªG·bOöâŒÕÐPGF>N¤å^Ÿ¼¿³¯£sõœ|ÒØ#ëÇOy¡×¾ †š¬ðÝÁoY†)¯ÚÓòZÕæ1jôå‚U¾¯l|*õƒ]UЇ½L*’<SÆDª%¥o¤q0×ۘÙÈ Í jÄnn×l¸ ÏÿOÞHW= ·k挆jðø}+ïEî-¾¨TÖP8qñ^õçNûoeòD H›4}—Ëu Ï‘¶àÿŠ‚Ít2ãw †1µLWá,:YUU‚Ø9x'ɬ;–Eæ¸ù.LÕk›€¾][lŠjZšµ}Å4á$sh°|öÙýcËÑ­xa3…¨(¤lö©²"}k19‘ƒLßÉgœlcºWQ·ENÒ@S)}ìÂl/ùM×3sJ´Fû)ª1§õÚøñ„ˆ¸‹ Š–ú QZ¿@¨‰鵔ÙæûoÔF–‚f ˆø(Øë»dU†ÌÀ„pÊ$³&é¨[xÁ{$\”’x¤~ ¼7-§Õ׫°ÆƒHI«ñ KGÅKÏÅwEz††«wòí.uú½hÎ#-h(?y6$ˆ ¥F·³3Ëö®ð!a?æì*\”ÊCèՉ=Qmò„…‘_՞ñOl ß 9rWgêa ×øø í\ë’üe=ªË®ÞÈKÙ.ó2·²ßg(§á­¼¸aá᱂7ÙÉ5sWUÚr쎷{«¿ðýŠ`K·CÒ#Æ£.™½ëj´Ó )€± ´òT–&Ý%þøcö öˆØ¢p ˜K 遶éþßÕuJd^ó'ãâŠ4|DMZQgßæ2F>´VUù1ä‡PÄvå¸+†”œð¥¹ö÷8¯th|¬äk'øú׶'³[TÈ `O÷9[Eªô”ÐäÜ-<£)iH©*“¿èÅyâv¢BŽ‚ä_A),]W˜üÊ*ž˜y썗Ɨ2hì@¿6Rë‰ndсE6Ú%´ŒiJ*ô€²GãwH‚˜ã<¦”ÏŽGa¤Ž[nHÃwv±ò\;69Hª¢ŒÊ/Šò7õ´»ŽãI!g’ÈR±\"eËÙ´^'.ÜÿÉGñyÓav\žO×9®f£+Nöjx@dŽìxd’ȳ=Áò2£ ¨§h6â8x[‘®æÚ§xzÝuÎ3 „†F"¡yÛ$â=s¶ «Ï½Þ‘°& èôæÙò¬÷á>Ÿpºr;ûLôãå±øÍ óÛ¨t¡PøPKOž6'AÈ=Š<®Èv0u‡—Ñ6ÁՍ«$ª š¬ç_2e6'=*ˆö¸c•ýS8`ËÃɱÁ©=vhÿ‰8Xò” ÝYœ[Ì"•7©]ˆR¥Ë2÷[@•«(KŠãG~ò¶'à]µþ>ÒBo?«’cI=çy·¦Gk‚E{"hQºæŸGÕÀ.iqðq ™@Ũ”ŽÇmý=khuRH%ßM àÙ²W¼¬Ë¹#bÈ´«Y›ºgٔY4•°QóFÁ‡ëèh üy•4(Êø¾Çž}=ÇnwéSœB’1fÉ:L<‘­ äl«„ÃÙÆzkŸ‰©n| MÚ¶Ök1õ'ìó6f£½X¢°:Q½uØÀ]|ނ§±³vãøӜ¢ët£ÞKL"ˆÆdE§ä•Hп ÷jx1dµ®ßa{Ôê+”“îJRš!=c/¢yü.c‡d\»Dª¾8à²hpÇØ4ÁV%‘µr
regkey: HKEY_CURRENT_USER\Software\1FDE2DAF8E72D9C8F9D38AAACA325288\99e8fc6039c46038354c0c5449777555
1 0 0
file C:\Users\test22\AppData\Local\Temp\uiw3yDSfdjCt.bat
wmi SELECT * FROM AntiVirusProduct
wmi SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
wmi SELECT Caption FROM Win32_OperatingSystem
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2916
process_handle: 0x00000080
1 1 0
Process injection Process 2808 called NtSetContextThread to modify thread in remote process 2916
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4434029
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2916
1 0 0
file C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
Process injection Process 2460 resumed a thread in remote process 2808
Process injection Process 2808 resumed a thread in remote process 2916
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2808
1 0 0

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2916
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000114
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000001c8
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000248
suspend_count: 1
process_identifier: 2544
1 0 0

NtGetContextThread

 thread_handle: 0x0000011c
1 0 0

NtGetContextThread

 thread_handle: 0x0000011c
1 0 0

NtResumeThread

 thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000264
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000358
suspend_count: 1
process_identifier: 2544
1 0 0

CreateProcessInternalW

 thread_identifier: 2752
thread_handle: 0x00000364
process_identifier: 2748
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'systems';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'systems' -Value '"C:\Users\test22\AppData\Roaming\systems.exe"' -PropertyType 'String'
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000368
1 1 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000005e8
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000614
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000638
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000650
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000668
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000688
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000069c
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000668
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000064c
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000064c
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000069c
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000002e4
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000638
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000604
suspend_count: 1
process_identifier: 2544
1 0 0

CreateProcessInternalW

 thread_identifier: 2452
thread_handle: 0x00000760
process_identifier: 2460
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\uiw3yDSfdjCt.bat"
filepath_r:
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000754
1 1 0

NtResumeThread

 thread_handle: 0x000005fc
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000610
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000630
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x00000298
suspend_count: 1
process_identifier: 2748
1 0 0

NtResumeThread

 thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 2748
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2748
1 0 0

NtResumeThread

 thread_handle: 0x00000494
suspend_count: 1
process_identifier: 2748
1 0 0

CreateProcessInternalW

 thread_identifier: 2560
thread_handle: 0x00000088
process_identifier: 2564
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\chcp.com
track: 1
command_line: chcp 65001
filepath_r: C:\Windows\system32\chcp.com
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2692
thread_handle: 0x00000088
process_identifier: 2720
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\PING.EXE
track: 1
command_line: ping -n 5 localhost
filepath_r: C:\Windows\system32\PING.EXE
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 2820
thread_handle: 0x00000084
process_identifier: 2808
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\cli.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\cli.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\cli.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2808
1 0 0

CreateProcessInternalW

 thread_identifier: 2924
thread_handle: 0x0000007c
process_identifier: 2916
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\cli.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\cli.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\cli.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000080
1 1 0

NtGetContextThread

 thread_handle: 0x0000007c
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2916
process_handle: 0x00000080
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2916
region_size: 516096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2916
process_handle: 0x00000080
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4434029
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2916
1 0 0

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2916
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Dynara.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.gc
ALYac Trojan.GenericKD.73778277
Cylance Unsafe
VIPRE Trojan.GenericKD.73778277
Sangfor Trojan.Win32.Kryptik.Vopi
K7AntiVirus Trojan ( 005a6b231 )
Alibaba Trojan:Win32/Dynara.7e6beaef
K7GW Trojan ( 005a6b231 )
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of MSIL/Kryptik.AIZW
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan.Win32.Dynara.aqzf
BitDefender Trojan.GenericKD.73778277
MicroWorld-eScan Trojan.GenericKD.73778277
Emsisoft Trojan.GenericKD.73778277 (B)
F-Secure Heuristic.HEUR/AGEN.1367582
TrendMicro Trojan.Win32.AMADEY.YXEHCZ
McAfeeD Real Protect-LS!454A942056F6
Trapmine suspicious.low.ml.score
FireEye Generic.mg.454a942056f6d69c
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.PSW
Webroot W32.Rogue.Gen
Google Detected
Avira HEUR/AGEN.1367582
MAX malware (ai score=81)
Kingsoft malware.kb.a.996
Gridinsoft Ransom.Win32.Bladabindi.sa
ZoneAlarm Trojan.Win32.Dynara.aqzf
GData Trojan.GenericKD.73778277
Varist W32/ABTrojan.FZVK-0504
BitDefenderTheta Gen:NN.ZexaF.36810.Dq0@aKWLCmn
DeepInstinct MALICIOUS
Malwarebytes MachineLearning/Anomalous.95%
TrendMicro-HouseCall Trojan.Win32.AMADEY.YXEHCZ
Tencent Malware.Win32.Gencirc.1414e0e7
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.AIZW!tr
Panda Trj/Chgt.AD
CrowdStrike win/malicious_confidence_90% (D)
alibabacloud Trojan:MSIL/Kryptik.ALPE
dead_host 91.217.76.162:56004
dead_host 91.217.76.162:56005