SmartHawk

9.4

极危

该样本未表现出任何异常！

重新分析

下载样本

7c92908ca040e8ff11075412a91c9fd30e9becf5358600791b4fb8f77898f812

c3e12582a2e5df1da27711ed72590d54.exe

分析耗时

107s

最近分析

文件大小

2.8MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1620932452.9455 GetComputerNameA	computer_name: OSKAR-PC	success	1
1620932455.9925 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620932456.8835 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620932457.0235 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620932440.304625 IsDebuggerPresent		failed	0	0

Tries to locate where the browsers are installed (2 个事件)

file	C:\Program Files\Google\Chrome\Application\chrome.exe,0
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\ParentDisplayName

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620932462.242 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

One or more processes crashed (37 个事件)

Time & API	Arguments	Status
1620932483.711 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e9582 dbkFCallWrapperAddr-0xd9d72 hibituninstaller+0x4d28ca @ 0x8d28ca TMethodImplementationIntercept+0x3e928d dbkFCallWrapperAddr-0xda067 hibituninstaller+0x4d25d5 @ 0x8d25d5 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 73661452 registers.edi: 73661948 registers.eax: 73661452 registers.ebp: 73661532 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932488.914 __exception__	stacktrace: __dbk_fcall_wrapper+0x65b68 TMethodImplementationIntercept-0x70294 hibituninstaller+0x790b4 @ 0x4790b4 __dbk_fcall_wrapper+0x65a85 TMethodImplementationIntercept-0x70377 hibituninstaller+0x78fd1 @ 0x478fd1 TMethodImplementationIntercept+0x3e897b dbkFCallWrapperAddr-0xda979 hibituninstaller+0x4d1cc3 @ 0x8d1cc3 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 79560176 registers.edi: 32 registers.eax: 79560176 registers.ebp: 79560256 registers.edx: 0 registers.ebx: 40823688 registers.esi: 40277668 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932491.976 __exception__	stacktrace: __dbk_fcall_wrapper+0x65b68 TMethodImplementationIntercept-0x70294 hibituninstaller+0x790b4 @ 0x4790b4 __dbk_fcall_wrapper+0x65a85 TMethodImplementationIntercept-0x70377 hibituninstaller+0x78fd1 @ 0x478fd1 TMethodImplementationIntercept+0x3e897b dbkFCallWrapperAddr-0xda979 hibituninstaller+0x4d1cc3 @ 0x8d1cc3 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 83230192 registers.edi: 32 registers.eax: 83230192 registers.ebp: 83230272 registers.edx: 0 registers.ebx: 40824216 registers.esi: 40278124 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932493.32 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 78511808 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932493.32 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 78511620 registers.edi: 0 registers.eax: 78511620 registers.ebp: 78511700 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932493.57 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e8a11 dbkFCallWrapperAddr-0xda8e3 hibituninstaller+0x4d1d59 @ 0x8d1d59 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 76479568 registers.edi: 76480064 registers.eax: 76479568 registers.ebp: 76479648 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932493.57 __exception__	stacktrace: __dbk_fcall_wrapper-0x9cff hibituninstaller+0x984d @ 0x40984d __dbk_fcall_wrapper-0x9cff hibituninstaller+0x984d @ 0x40984d TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 76480012 registers.edi: 76480204 registers.eax: 76480012 registers.ebp: 76480092 registers.edx: 0 registers.ebx: 4233293 registers.esi: 4233293 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932500.601 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 79560384 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932500.601 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 79560196 registers.edi: 0 registers.eax: 79560196 registers.ebp: 79560276 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932501.429 __exception__	stacktrace: __dbk_fcall_wrapper+0x65b68 TMethodImplementationIntercept-0x70294 hibituninstaller+0x790b4 @ 0x4790b4 __dbk_fcall_wrapper+0x65a85 TMethodImplementationIntercept-0x70377 hibituninstaller+0x78fd1 @ 0x478fd1 TMethodImplementationIntercept+0x3e897b dbkFCallWrapperAddr-0xda979 hibituninstaller+0x4d1cc3 @ 0x8d1cc3 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 79429104 registers.edi: 32 registers.eax: 79429104 registers.ebp: 79429184 registers.edx: 0 registers.ebx: 40823808 registers.esi: 40278428 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932502.586 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 83230400 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932502.601 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 83230212 registers.edi: 0 registers.eax: 83230212 registers.ebp: 83230292 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932504.726 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e8a11 dbkFCallWrapperAddr-0xda8e3 hibituninstaller+0x4d1d59 @ 0x8d1d59 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 76479568 registers.edi: 76480064 registers.eax: 76479568 registers.ebp: 76479648 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932504.726 __exception__	stacktrace: __dbk_fcall_wrapper-0x9cff hibituninstaller+0x984d @ 0x40984d __dbk_fcall_wrapper-0x9cff hibituninstaller+0x984d @ 0x40984d TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 76480012 registers.edi: 76480204 registers.eax: 76480012 registers.ebp: 76480092 registers.edx: 0 registers.ebx: 4233293 registers.esi: 4233293 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932511.039 __exception__	stacktrace: __dbk_fcall_wrapper+0x65b68 TMethodImplementationIntercept-0x70294 hibituninstaller+0x790b4 @ 0x4790b4 __dbk_fcall_wrapper+0x65a85 TMethodImplementationIntercept-0x70377 hibituninstaller+0x78fd1 @ 0x478fd1 TMethodImplementationIntercept+0x3e897b dbkFCallWrapperAddr-0xda979 hibituninstaller+0x4d1cc3 @ 0x8d1cc3 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 90242544 registers.edi: 32 registers.eax: 90242544 registers.ebp: 90242624 registers.edx: 0 registers.ebx: 40826928 registers.esi: 40278580 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932511.273 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e9582 dbkFCallWrapperAddr-0xd9d72 hibituninstaller+0x4d28ca @ 0x8d28ca TMethodImplementationIntercept+0x3e928d dbkFCallWrapperAddr-0xda067 hibituninstaller+0x4d25d5 @ 0x8d25d5 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 84737036 registers.edi: 84737532 registers.eax: 84737036 registers.ebp: 84737116 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932511.289 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 84737728 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932511.289 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 84737540 registers.edi: 0 registers.eax: 84737540 registers.ebp: 84737620 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932514.226 __exception__	stacktrace: __dbk_fcall_wrapper+0x65b68 TMethodImplementationIntercept-0x70294 hibituninstaller+0x790b4 @ 0x4790b4 __dbk_fcall_wrapper+0x65a85 TMethodImplementationIntercept-0x70377 hibituninstaller+0x78fd1 @ 0x478fd1 TMethodImplementationIntercept+0x3e897b dbkFCallWrapperAddr-0xda979 hibituninstaller+0x4d1cc3 @ 0x8d1cc3 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 90242544 registers.edi: 32 registers.eax: 90242544 registers.ebp: 90242624 registers.edx: 0 registers.ebx: 40827024 registers.esi: 40278580 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932514.914 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e9582 dbkFCallWrapperAddr-0xd9d72 hibituninstaller+0x4d28ca @ 0x8d28ca TMethodImplementationIntercept+0x3e928d dbkFCallWrapperAddr-0xda067 hibituninstaller+0x4d25d5 @ 0x8d25d5 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 85785612 registers.edi: 85786108 registers.eax: 85785612 registers.ebp: 85785692 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932515.023 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 85786304 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932515.023 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 85786116 registers.edi: 0 registers.eax: 85786116 registers.ebp: 85786196 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932517.179 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e9582 dbkFCallWrapperAddr-0xd9d72 hibituninstaller+0x4d28ca @ 0x8d28ca TMethodImplementationIntercept+0x3e928d dbkFCallWrapperAddr-0xda067 hibituninstaller+0x4d25d5 @ 0x8d25d5 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 82967564 registers.edi: 82968060 registers.eax: 82967564 registers.ebp: 82967644 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932517.211 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 82968256 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932517.226 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 82968068 registers.edi: 0 registers.eax: 82968068 registers.ebp: 82968148 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932517.461 __exception__	stacktrace: __dbk_fcall_wrapper+0x65b68 TMethodImplementationIntercept-0x70294 hibituninstaller+0x790b4 @ 0x4790b4 __dbk_fcall_wrapper+0x65a85 TMethodImplementationIntercept-0x70377 hibituninstaller+0x78fd1 @ 0x478fd1 TMethodImplementationIntercept+0x3e897b dbkFCallWrapperAddr-0xda979 hibituninstaller+0x4d1cc3 @ 0x8d1cc3 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 82968048 registers.edi: 32 registers.eax: 82968048 registers.ebp: 82968128 registers.edx: 0 registers.ebx: 40823424 registers.esi: 40278124 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932518.929 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e9582 dbkFCallWrapperAddr-0xd9d72 hibituninstaller+0x4d28ca @ 0x8d28ca TMethodImplementationIntercept+0x3e928d dbkFCallWrapperAddr-0xda067 hibituninstaller+0x4d25d5 @ 0x8d25d5 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 87096332 registers.edi: 87096828 registers.eax: 87096332 registers.ebp: 87096412 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932519.117 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 87097024 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932519.117 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 87096836 registers.edi: 0 registers.eax: 87096836 registers.ebp: 87096916 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932520.82 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e9582 dbkFCallWrapperAddr-0xd9d72 hibituninstaller+0x4d28ca @ 0x8d28ca TMethodImplementationIntercept+0x3e928d dbkFCallWrapperAddr-0xda067 hibituninstaller+0x4d25d5 @ 0x8d25d5 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 89193484 registers.edi: 89193980 registers.eax: 89193484 registers.ebp: 89193564 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932520.867 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 89194176 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932520.867 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 89193988 registers.edi: 0 registers.eax: 89193988 registers.ebp: 89194068 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932522.242 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e9582 dbkFCallWrapperAddr-0xd9d72 hibituninstaller+0x4d28ca @ 0x8d28ca TMethodImplementationIntercept+0x3e928d dbkFCallWrapperAddr-0xda067 hibituninstaller+0x4d25d5 @ 0x8d25d5 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 85785612 registers.edi: 85786108 registers.eax: 85785612 registers.ebp: 85785692 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932522.289 __exception__	stacktrace: TMethodImplementationIntercept+0x18d314 dbkFCallWrapperAddr-0x335fe0 hibituninstaller+0x27665c @ 0x67665c TMethodImplementationIntercept+0x3e982a dbkFCallWrapperAddr-0xd9aca hibituninstaller+0x4d2b72 @ 0x8d2b72 TMethodImplementationIntercept+0x19172a dbkFCallWrapperAddr-0x331bca hibituninstaller+0x27aa72 @ 0x67aa72 __dbk_fcall_wrapper+0x781ce TMethodImplementationIntercept-0x5dc2e hibituninstaller+0x8b71a @ 0x48b71a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a TMethodImplementationIntercept+0x192010 dbkFCallWrapperAddr-0x3312e4 hibituninstaller+0x27b358 @ 0x67b358 registers.esp: 1636656 registers.edi: 0 registers.eax: 1636656 registers.ebp: 1636736 registers.edx: 0 registers.ebx: 85786304 registers.esi: 4067298 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932522.289 __exception__	stacktrace: __dbk_fcall_wrapper+0x752dc TMethodImplementationIntercept-0x60b20 hibituninstaller+0x88828 @ 0x488828 __dbk_fcall_wrapper+0x7533e TMethodImplementationIntercept-0x60abe hibituninstaller+0x8888a @ 0x48888a TMethodImplementationIntercept+0x3e934c dbkFCallWrapperAddr-0xd9fa8 hibituninstaller+0x4d2694 @ 0x8d2694 __dbk_fcall_wrapper+0x747d4 TMethodImplementationIntercept-0x61628 hibituninstaller+0x87d20 @ 0x487d20 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 85786116 registers.edi: 0 registers.eax: 85786116 registers.ebp: 85786196 registers.edx: 0 registers.ebx: 1 registers.esi: 2595 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932522.351 __exception__	stacktrace: TMethodImplementationIntercept+0x23bff8 dbkFCallWrapperAddr-0x2872fc hibituninstaller+0x325340 @ 0x725340 TMethodImplementationIntercept+0x23c7ac dbkFCallWrapperAddr-0x286b48 hibituninstaller+0x325af4 @ 0x725af4 TMethodImplementationIntercept+0x2864d8 dbkFCallWrapperAddr-0x23ce1c hibituninstaller+0x36f820 @ 0x76f820 TMethodImplementationIntercept+0x288f9b dbkFCallWrapperAddr-0x23a359 hibituninstaller+0x3722e3 @ 0x7722e3 TMethodImplementationIntercept+0x289499 dbkFCallWrapperAddr-0x239e5b hibituninstaller+0x3727e1 @ 0x7727e1 TMethodImplementationIntercept+0x28927b dbkFCallWrapperAddr-0x23a079 hibituninstaller+0x3725c3 @ 0x7725c3 TMethodImplementationIntercept+0x28443d dbkFCallWrapperAddr-0x23eeb7 hibituninstaller+0x36d785 @ 0x76d785 TMethodImplementationIntercept+0x3e8a11 dbkFCallWrapperAddr-0xda8e3 hibituninstaller+0x4d1d59 @ 0x8d1d59 TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 88144976 registers.edi: 88145472 registers.eax: 88144976 registers.ebp: 88145056 registers.edx: 0 registers.ebx: 0 registers.esi: 7514164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1620932522.398 __exception__	stacktrace: __dbk_fcall_wrapper-0x9cff hibituninstaller+0x984d @ 0x40984d __dbk_fcall_wrapper-0x9cff hibituninstaller+0x984d @ 0x40984d TMethodImplementationIntercept+0x3e8eed dbkFCallWrapperAddr-0xda407 hibituninstaller+0x4d2235 @ 0x8d2235 __dbk_fcall_wrapper-0x7dca hibituninstaller+0xb782 @ 0x40b782 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 88145420 registers.edi: 88145612 registers.eax: 88145420 registers.ebp: 88145500 registers.edx: 0 registers.ebx: 4233293 registers.esi: 4233293 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 个事件)

request	GET http://www.hibitsoft.ir/HiBitUninstaller/Ver.DBS
request	GET http://www.hibitsoft.ir/HiBitUninstaller/Changelog.txt
request	GET http://hibitsoft.ir/HiBitUninstaller/HiBitUninstaller-setup-2.5.95.exe

Allocates read-write-execute memory (usually to unpack itself) (6 个事件)

Time & API	Arguments	Status
1620932439.914625 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1620932439.914625 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1620932439.914625 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00410000	success
1620932440.9765 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00660000	success
1620932512.679374 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004170000	success
1620932461.101 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e0000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620932448.5395 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\HiBit Uninstaller\ free_bytes_available: 8600306909957483753 total_number_of_free_bytes: 0 total_number_of_bytes: 4294967295	failed	0	0
1620932448.5395 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\ free_bytes_available: 19610210304 total_number_of_free_bytes: 0 total_number_of_bytes: 34252779520	success	1	0

Creates executable files on the filesystem (4 个事件)

file	C:\Users\Public\Desktop\HiBit Uninstaller.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HiBit Uninstaller\HiBit Uninstaller.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\HiBitUninstaller-setup.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HiBit Uninstaller\Uninstall HiBit Uninstaller.lnk

Creates a shortcut to an executable file (3 个事件)

file	C:\Users\Public\Desktop\HiBit Uninstaller.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HiBit Uninstaller\HiBit Uninstaller.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HiBit Uninstaller\Uninstall HiBit Uninstaller.lnk

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-HQUSP.tmp\c3e12582a2e5df1da27711ed72590d54.tmp

An executable file was downloaded by the process hibituninstaller.exe (3 个事件)

Time & API	Arguments	Status	Return
1620932488.554 recv	buffer: HTTP/1.1 200 OK Date: Thu, 13 May 2021 11:03:10 GMT Server: Apache Last-Modified: Sun, 24 Jan 2021 19:10:29 GMT Accept-Ranges: bytes Content-Length: 3209393 Vary: Accept-Encoding,User-Agent Content-Type: application/x-msdownload MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à¤FÐªÀ@P@@à\| ,CODE¢¤ `DATAPÀ¨@ÀBSSÐ¬À.idata\| à ¬@À.tlsð¶À.rdata¶@P.reloc @P.rsrc, ,¸@PPî@P string<@m@Ä)@¬(@Ô(@)@$)@Free0)@InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName(@ClassNameIs¨(@ClassParentÀ)@ ClassInf received: 1460 socket: 544	success	1460
1620932496.117 recv	buffer: HTTP/1.1 200 OK Date: Thu, 13 May 2021 11:03:18 GMT Server: Apache Last-Modified: Sun, 24 Jan 2021 19:10:29 GMT Accept-Ranges: bytes Content-Length: 3209393 Vary: Accept-Encoding,User-Agent Content-Type: application/x-msdownload MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à¤FÐªÀ@P@@à\| ,CODE¢¤ `DATAPÀ¨@ÀBSSÐ¬À.idata\| à ¬@À.tlsð¶À.rdata¶@P.reloc @P.rsrc, ,¸@PPî@P string<@m@Ä)@¬(@Ô(@)@$)@Free0)@InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName(@ClassNameIs¨(@ClassParentÀ)@ ClassInf received: 1460 socket: 532	success	1460
1620932512.804 recv	buffer: HTTP/1.1 200 OK Date: Thu, 13 May 2021 11:03:31 GMT Server: Apache Last-Modified: Sun, 24 Jan 2021 19:10:29 GMT Accept-Ranges: bytes Content-Length: 3209393 Vary: Accept-Encoding,User-Agent Content-Type: application/x-msdownload MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à¤FÐªÀ@P@@à\| ,CODE¢¤ `DATAPÀ¨@ÀBSSÐ¬À.idata\| à ¬@À.tlsð¶À.rdata¶@P.reloc @P.rsrc, ,¸@PPî@P string<@m@Ä)@¬(@Ô(@)@$)@Free0)@InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName(@ClassNameIs¨(@ClassParentÀ)@ ClassInf received: 1460 socket: 644	success	1460

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620932461.633 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Queries for potentially installed applications (45 个事件)

Time & API	Arguments	Status	Return
1620932441.6795 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 options: 0	failed	2
1620932441.6795 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 options: 0	failed	2
1620932444.6955 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 options: 0	failed	2
1620932444.6955 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 options: 0	failed	2
1620932457.1335 RegOpenKeyExA	access: 0x00000008 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 options: 0	failed	2
1620932457.1335 RegOpenKeyExA	access: 0x00000008 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 options: 0	failed	2
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData options: 0	success	0
1620932462.367 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile options: 0	success	0
1620932462.554 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Extended regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Extended options: 0	success	0
1620932462.711 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack options: 0	success	0
1620932462.711 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 options: 0	success	0
1620932462.711 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions options: 0	success	0
1620932463.117 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent options: 0	success	0
1620932463.117 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC options: 0	success	0
1620932463.117 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8E34682C-8118-31F1-BC4C-98CD9675E1C2} regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8E34682C-8118-31F1-BC4C-98CD9675E1C2} options: 0	success	0
1620932463.117 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} options: 0	success	0
1620932463.179 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E} regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E} options: 0	success	0
1620932463.226 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} options: 0	success	0
1620932463.226 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success	0
1620932463.226 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success	0
1620932463.226 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success	0
1620932463.226 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success	0
1620932463.226 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success	0
1620932463.226 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC options: 0	success	0
1620932463.804 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1 options: 0	success	0
1620932464.023 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	failed	2
1620932464.023 RegOpenKeyExW	access: 0x00020009 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	failed	2
1620932464.023 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	failed	2
1620932464.679 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000001c4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Collects information about installed applications (7 个事件)

Time & API	Arguments	Status
1620932462.367 RegQueryValueExW	key_handle: 0x000001c4 value: Microsoft .NET Framework 4 Client Profile regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile\DisplayName	success
1620932462.554 RegQueryValueExW	key_handle: 0x000001c4 value: Microsoft .NET Framework 4 Extended regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Extended\DisplayName	success
1620932462.726 RegQueryValueExW	key_handle: 0x000001c4 value: Oracle VM VirtualBox Guest Additions 6.1.18 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName	success
1620932463.133 RegQueryValueExW	key_handle: 0x000001c4 value: Python 2.7.18 (64-bit) regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	success
1620932463.179 RegQueryValueExW	key_handle: 0x000001c4 value: Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}\DisplayName	success
1620932463.226 RegQueryValueExW	key_handle: 0x000001c4 value: Google Chrome regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	success
1620932463.804 RegQueryValueExW	key_handle: 0x000001c4 value: HiBit Uninstaller version 2.5.10.300 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{318AF7D1-C350-4F69-8C13-83B88BFF1355}_is1\DisplayName	success

Detects VirtualBox through the presence of a file (1 个事件)

file	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe

Detects VirtualBox through the presence of a registry key (12 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayIcon
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\UninstallString
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\InstallDate
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\EstimatedSize
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\InstallLocation
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\Comments
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\ParentDisplayName
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\Publisher
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\SystemComponent
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\Inno Setup: App Path

Generates some ICMP traffic

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x40e0b4 DeleteCriticalSection

• 0x40e0b8 LeaveCriticalSection

• 0x40e0bc EnterCriticalSection

• 0x40e0c0 InitializeCriticalSection

• 0x40e0c4 VirtualFree

• 0x40e0c8 VirtualAlloc

• 0x40e0cc LocalFree

• 0x40e0d0 LocalAlloc

• 0x40e0d4 WideCharToMultiByte

• 0x40e0d8 TlsSetValue

• 0x40e0dc TlsGetValue

• 0x40e0e0 MultiByteToWideChar

• 0x40e0e4 GetModuleHandleA

• 0x40e0e8 GetLastError

• 0x40e0ec GetCommandLineA

• 0x40e0f0 WriteFile

• 0x40e0f4 SetFilePointer

• 0x40e0f8 SetEndOfFile

• 0x40e0fc RtlUnwind

• 0x40e100 ReadFile

• 0x40e104 RaiseException

• 0x40e108 GetStdHandle

• 0x40e10c GetFileSize

• 0x40e110 GetSystemTime

• 0x40e114 GetFileType

• 0x40e118 ExitProcess

• 0x40e11c CreateFileA

• 0x40e120 CloseHandle

Library user32.dll:

• 0x40e128 MessageBoxA

Library oleaut32.dll:

• 0x40e130 VariantChangeTypeEx

• 0x40e134 VariantCopyInd

• 0x40e138 VariantClear

• 0x40e13c SysStringLen

• 0x40e140 SysAllocStringLen

Library advapi32.dll:

• 0x40e148 RegQueryValueExA

• 0x40e14c RegOpenKeyExA

• 0x40e150 RegCloseKey

• 0x40e154 OpenProcessToken

• 0x40e158 LookupPrivilegeValueA

Library kernel32.dll:

• 0x40e160 WriteFile

• 0x40e164 VirtualQuery

• 0x40e168 VirtualProtect

• 0x40e16c VirtualFree

• 0x40e170 VirtualAlloc

• 0x40e174 Sleep

• 0x40e178 SizeofResource

• 0x40e17c SetLastError

• 0x40e180 SetFilePointer

• 0x40e184 SetErrorMode

• 0x40e188 SetEndOfFile

• 0x40e18c RemoveDirectoryA

• 0x40e190 ReadFile

• 0x40e194 LockResource

• 0x40e198 LoadResource

• 0x40e19c LoadLibraryA

• 0x40e1a0 IsDBCSLeadByte

• 0x40e1a4 GetWindowsDirectoryA

• 0x40e1a8 GetVersionExA

• 0x40e1ac GetVersion

• 0x40e1b0 GetUserDefaultLangID

• 0x40e1b4 GetSystemInfo

• 0x40e1b8 GetSystemDirectoryA

• 0x40e1bc GetSystemDefaultLCID

• 0x40e1c0 GetProcAddress

• 0x40e1c4 GetModuleHandleA

• 0x40e1c8 GetModuleFileNameA

• 0x40e1cc GetLocaleInfoA

• 0x40e1d0 GetLastError

• 0x40e1d4 GetFullPathNameA

• 0x40e1d8 GetFileSize

• 0x40e1dc GetFileAttributesA

• 0x40e1e0 GetExitCodeProcess

• 0x40e1e4 GetEnvironmentVariableA

• 0x40e1e8 GetCurrentProcess

• 0x40e1ec GetCommandLineA

• 0x40e1f0 GetACP

• 0x40e1f4 InterlockedExchange

• 0x40e1f8 FormatMessageA

• 0x40e1fc FindResourceA

• 0x40e200 DeleteFileA

• 0x40e204 CreateProcessA

• 0x40e208 CreateFileA

• 0x40e20c CreateDirectoryA

• 0x40e210 CloseHandle

Library user32.dll:

• 0x40e218 TranslateMessage

• 0x40e21c SetWindowLongA

• 0x40e220 PeekMessageA

• 0x40e224 MsgWaitForMultipleObjects

• 0x40e228 MessageBoxA

• 0x40e22c LoadStringA

• 0x40e230 ExitWindowsEx

• 0x40e234 DispatchMessageA

• 0x40e238 DestroyWindow

• 0x40e23c CreateWindowExA

• 0x40e240 CallWindowProcA

• 0x40e244 CharPrevA

Library comctl32.dll:

• 0x40e24c InitCommonControls

Library advapi32.dll:

• 0x40e254 AdjustTokenPrivileges

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
hibitsoft.ir	A 185.159.153.125	185.159.153.125
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.110
www.hibitsoft.ir	CNAME hibitsoft.ir A 185.159.153.125	185.159.153.125
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49195	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49204	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49205	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49208	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49212	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49215	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49218	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49220	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49225	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49227	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49230	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49232	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49236	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49237	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49244	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49245	185.159.153.125 www.hibitsoft.ir	80
192.168.56.101	49248	185.159.153.125 www.hibitsoft.ir	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://www.hibitsoft.ir/HiBitUninstaller/Changelog.txt	GET /HiBitUninstaller/Changelog.txt HTTP/1.1 Host: www.hibitsoft.ir Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
http://www.hibitsoft.ir/HiBitUninstaller/Ver.DBS	GET /HiBitUninstaller/Ver.DBS HTTP/1.1 Host: www.hibitsoft.ir Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
http://hibitsoft.ir/HiBitUninstaller/HiBitUninstaller-setup-2.5.95.exe	GET /HiBitUninstaller/HiBitUninstaller-setup-2.5.95.exe HTTP/1.1 Host: hibitsoft.ir Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

URI

Data

http://www.hibitsoft.ir/HiBitUninstaller/Changelog.txt

GET /HiBitUninstaller/Changelog.txt HTTP/1.1
Host: www.hibitsoft.ir
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

http://www.hibitsoft.ir/HiBitUninstaller/Ver.DBS

GET /HiBitUninstaller/Ver.DBS HTTP/1.1
Host: www.hibitsoft.ir
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

http://hibitsoft.ir/HiBitUninstaller/HiBitUninstaller-setup-2.5.95.exe

GET /HiBitUninstaller/HiBitUninstaller-setup-2.5.95.exe HTTP/1.1
Host: hibitsoft.ir
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.