Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 23, 2021, 6:14 p.m.	April 23, 2021, 6:21 p.m.

Size	897.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8062355a111a77ec5e83711bb635b60b`
SHA256	`cc5a25af0aab6dcbcafcb9c02d6eb48cf973833a58a70dcb5c4eac86abf7d306`
CRC32	`3F86BB9A`
ssdeep	`24576:WAHnh+eWsN3skA4RV1Hom2KXMmHar/DM5:xh+ZkldoPK8YarG`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check AutoIt - www.autoitscript.com/site/autoit/ Device_Check_Zero - Device Check Zero Process_Snapshot_Kill_Zero - Process Kill Zero CryptGenKey_Zero - CryptGenKey Zero FindFirstVolume_Zero - FindFirstVolume Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call

sskiper.exe "C:\Users\test22\AppData\Local\Temp\sskiper.exe"
732
- 1753875954.exe C:\Users\test22\AppData\Local\Temp\1753875954.exe
  2164
  - AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    2524
- 1464358104.exe C:\Users\test22\AppData\Local\Temp\1464358104.exe
  2388
  - AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    1596
- cmd.exe "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\sskiper.exe & exit
  2520
  - PING.EXE ping 0
    2908

Name	Response	Post-Analysis Lookup
iplogger.com	A 88.99.66.31	88.99.66.31
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31
download3.info	A 185.230.141.234 A 185.26.121.195	185.26.121.195
download2.info	A 109.248.175.195	109.248.175.195
kis-easy.ru	A 81.177.140.201	81.177.140.201
h.fastihost.ru	A 81.177.140.201	81.177.140.201

IP Address	Status	Action
104.26.13.31	Active	Moloch
109.248.175.195	Active	Moloch
164.124.101.2	Active	Moloch
185.230.141.234	Active	Moloch
188.119.112.16	Active	Moloch
81.177.140.201	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 109.248.175.195:80	2030880	ET USER_AGENTS Suspicious User-Agent (Installed OK)	Potentially Bad Traffic
TCP 192.168.56.101:49200 -> 109.248.175.195:80	2030880	ET USER_AGENTS Suspicious User-Agent (Installed OK)	Potentially Bad Traffic
TCP 109.248.175.195:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.248.175.195:80 -> 192.168.56.101:49200	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 109.248.175.195:80 -> 192.168.56.101:49200	2014819	ET INFO Packed Executable Download	Misc activity
TCP 109.248.175.195:80 -> 192.168.56.101:49200	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49203 -> 81.177.140.201:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 81.177.140.201:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 188.119.112.16:29931 -> 192.168.56.101:49219	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49203 81.177.140.201:443	C=US, O=Let's Encrypt, CN=R3	CN=*.fastihost.ru	0c:2d:0c:e9:c5:6e:b3:41:59:ee:68:5d:fe:67:b5:7a:65:08:ce:90
TLSv1 192.168.56.101:49197 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	a6:9e:b0:a2:7d:aa:50:d1:63:45:45:aa:4b:92:18:ef:3b:1e:2e:94
TLSv1 192.168.56.101:49220 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLSv1 192.168.56.101:49208 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLS 1.2 192.168.56.101:49209 81.177.140.201:443	C=US, O=Let's Encrypt, CN=R3	CN=*.kis-easy.ru	a9:23:93:be:e2:63:09:bd:ea:cf:1d:a9:65:87:f7:61:88:f4:0d:b4

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 23, 2021, 6:14 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:14 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:14 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:19 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:19 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:19 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:19 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:20 p.m.			0	0
IsDebuggerPresent April 23, 2021, 6:20 p.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 23, 2021, 6:20 p.m.	buffer: Pinging 0.0.0.0 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 6:20 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 6:20 p.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 6:20 p.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 6:20 p.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 6:20 p.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 6:20 p.m.	buffer: Ping statistics for 0.0.0.0: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey April 23, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00493188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00493188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00493208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075c990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075c990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075c850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 23, 2021, 6:14 p.m.		1	1	0

One or more processes crashed (28 events)

Time & API	Arguments	Status
__exception__ April 23, 2021, 6:14 p.m.	stacktrace: DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x720e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x720e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x720e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x720e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7263f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e8 b9 24 01 f5 6f e8 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5500bc registers.esp: 5304092 registers.edi: 5304144 registers.eax: 3030424 registers.ebp: 5304120 registers.edx: 8 registers.ebx: 5304292 registers.esi: 0 registers.ecx: 0	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x935502 0x930c46 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x935591 registers.esp: 3665992 registers.edi: 34889788 registers.eax: 0 registers.ebp: 3666016 registers.edx: 4600896 registers.ebx: 34153372 registers.esi: 34889968 registers.ecx: 0	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x9384f7 0x938439 0x937b1f 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665784 registers.edi: 35620404 registers.eax: 0 registers.ebp: 3665820 registers.edx: 32427852 registers.ebx: 35618528 registers.esi: 35613548 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x9384f7 0x938439 0x937b1f 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665784 registers.edi: 36585980 registers.eax: 0 registers.ebp: 3665820 registers.edx: 32427852 registers.ebx: 36584156 registers.esi: 35613548 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x9384f7 0x938439 0x937b1f 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665784 registers.edi: 37537996 registers.eax: 0 registers.ebp: 3665820 registers.edx: 32427852 registers.ebx: 37536172 registers.esi: 35613548 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93a1e6 0x93a139 0x937ba1 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665768 registers.edi: 38489792 registers.eax: 0 registers.ebp: 3665804 registers.edx: 32427852 registers.ebx: 38487980 registers.esi: 35613548 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93a1e6 0x93a139 0x937ba1 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665768 registers.edi: 35289844 registers.eax: 0 registers.ebp: 3665804 registers.edx: 32427852 registers.ebx: 35288048 registers.esi: 34692204 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93a1e6 0x93a139 0x937ba1 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665768 registers.edi: 35158784 registers.eax: 0 registers.ebp: 3665804 registers.edx: 32427852 registers.ebx: 35156988 registers.esi: 34670164 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93a737 0x93a689 0x937c23 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665780 registers.edi: 36122296 registers.eax: 0 registers.ebp: 3665816 registers.edx: 32427852 registers.ebx: 36120472 registers.esi: 34670164 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93a737 0x93a689 0x937c23 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665780 registers.edi: 37138404 registers.eax: 0 registers.ebp: 3665816 registers.edx: 32427852 registers.ebx: 37136596 registers.esi: 34670164 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93a737 0x93a689 0x937c23 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665780 registers.edi: 38154512 registers.eax: 0 registers.ebp: 3665816 registers.edx: 32427852 registers.ebx: 38152704 registers.esi: 34670164 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93ab77 0x93aac9 0x937c9f 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665780 registers.edi: 39170724 registers.eax: 0 registers.ebp: 3665816 registers.edx: 32427852 registers.ebx: 39168900 registers.esi: 34670164 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93ab77 0x93aac9 0x937c9f 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665780 registers.edi: 35213760 registers.eax: 0 registers.ebp: 3665816 registers.edx: 32427852 registers.ebx: 35211952 registers.esi: 34670124 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x93ab77 0x93aac9 0x937c9f 0x9311c2 0x930241 0x930070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x93881b registers.esp: 3665780 registers.edi: 36232024 registers.eax: 0 registers.ebp: 3665816 registers.edx: 32427852 registers.ebx: 36230216 registers.esi: 34670124 registers.ecx: 32428376	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e8 b9 24 01 99 6f e8 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4e00bc registers.esp: 4977724 registers.edi: 4977776 registers.eax: 3030424 registers.ebp: 4977752 registers.edx: 8 registers.ebx: 4977916 registers.esi: 0 registers.ecx: 0	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5a5502 0x5a0c46 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a5591 registers.esp: 2943688 registers.edi: 37353140 registers.eax: 0 registers.ebp: 2943712 registers.edx: 6892104 registers.ebx: 36643752 registers.esi: 37353320 registers.ecx: 0	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5a84f7 0x5a8439 0x5a7b1f 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943480 registers.edi: 38072088 registers.eax: 0 registers.ebp: 2943516 registers.edx: 6016844 registers.ebx: 38070212 registers.esi: 38065232 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5a84f7 0x5a8439 0x5a7b1f 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943480 registers.edi: 39037664 registers.eax: 0 registers.ebp: 2943516 registers.edx: 6016844 registers.ebx: 39035840 registers.esi: 38065232 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5a84f7 0x5a8439 0x5a7b1f 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943480 registers.edi: 39989680 registers.eax: 0 registers.ebp: 2943516 registers.edx: 6016844 registers.ebx: 39987856 registers.esi: 38065232 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aa1e6 0x5aa139 0x5a7ba1 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943464 registers.edi: 40941476 registers.eax: 0 registers.ebp: 2943500 registers.edx: 6016844 registers.ebx: 40939664 registers.esi: 38065232 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aa1e6 0x5aa139 0x5a7ba1 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943464 registers.edi: 37737996 registers.eax: 0 registers.ebp: 2943500 registers.edx: 6016844 registers.ebx: 37736200 registers.esi: 37163416 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aa1e6 0x5aa139 0x5a7ba1 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943464 registers.edi: 37632364 registers.eax: 0 registers.ebp: 2943500 registers.edx: 6016844 registers.ebx: 37630568 registers.esi: 37143744 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aa737 0x5aa689 0x5a7c23 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943476 registers.edi: 38595876 registers.eax: 0 registers.ebp: 2943512 registers.edx: 6016844 registers.ebx: 38594052 registers.esi: 37143744 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aa737 0x5aa689 0x5a7c23 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943476 registers.edi: 39611984 registers.eax: 0 registers.ebp: 2943512 registers.edx: 6016844 registers.ebx: 39610176 registers.esi: 37143744 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aa737 0x5aa689 0x5a7c23 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943476 registers.edi: 40628092 registers.eax: 0 registers.ebp: 2943512 registers.edx: 6016844 registers.ebx: 40626284 registers.esi: 37143744 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aab77 0x5aaac9 0x5a7c9f 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943476 registers.edi: 41644304 registers.eax: 0 registers.ebp: 2943512 registers.edx: 6016844 registers.ebx: 41642480 registers.esi: 37143744 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aab77 0x5aaac9 0x5a7c9f 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943476 registers.edi: 37687340 registers.eax: 0 registers.ebp: 2943512 registers.edx: 6016844 registers.ebx: 37685532 registers.esi: 37143704 registers.ecx: 6017368	1
__exception__ April 23, 2021, 6:20 p.m.	stacktrace: 0x5aab77 0x5aaac9 0x5a7c9f 0x5a11c2 0x5a0241 0x5a0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72012652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7202264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72022e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720d74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720d7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72161dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72161e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72161f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7216416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x726b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x726b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 e0 c7 45 e8 00 00 00 00 c7 45 ec exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a881b registers.esp: 2943476 registers.edi: 38705604 registers.eax: 0 registers.ebp: 2943512 registers.edx: 6016844 registers.ebx: 38703796 registers.esi: 37143704 registers.ecx: 6017368	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://download3.info//
suspicious_features	GET method with no useragent header	suspicious_request	GET https://h.fastihost.ru/SystemCollectionsGenericSystemQueueDebugViewL
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/geoip
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kis-easy.ru/SystemDataOleDbOleDbServicesWrapperc

Performs some HTTP requests (10 events)

request	GET http://download2.info/users/content/id03084901/mmow.txt
request	GET http://download2.info/function/v2tmp/momomoomomom.php
request	GET http://download2.info/users/content/id4843920512/sskiperus_part2.txt
request	GET http://download2.info/function/v2tmp/sskiperus2.php
request	POST http://download3.info//
request	GET https://iplogger.com/1jwpj7
request	GET https://iplogger.com/1jepj7
request	GET https://h.fastihost.ru/SystemCollectionsGenericSystemQueueDebugViewL
request	GET https://api.ip.sb/geoip
request	GET https://kis-easy.ru/SystemDataOleDbOleDbServicesWrapperc

Sends data using the HTTP POST Method (1 event)

request

POST http://download3.info//

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	h.fastihost.ru				description	Russian Federation domain TLD
domain	kis-easy.ru				description	Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 141 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00305000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00307000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00551000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70562000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00578000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:19 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:20 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0487f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2021, 6:20 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\1464358104.exe
file	C:\Users\test22\AppData\Local\Temp\1753875954.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\sskiper.exe & exit
cmdline	C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\sskiper.exe & exit

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\sskiper.exe
file	C:\Users\test22\AppData\Local\Temp\1753875954.exe
file	C:\Users\test22\AppData\Local\Temp\1464358104.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 23, 2021, 6:15 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /k ping 0 & del C:\Users\test22\AppData\Local\Temp\sskiper.exe & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 23, 2021, 6:14 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process sskiper.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile April 23, 2021, 6:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL_DVÆà0Ðþí @ @@¤íW H.textÎ Ð `.rsrc Ò@@.reloc Ö@BàíHË"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe(((*o s ª((%}þ&s (+,(zJ(o s o ( "o ( ( ( ( "( ( (Us%s B("(#2("( B(" è($("s2('( s3"(8sd* request_handle: 0x00cc000c	1	1	0
InternetReadFile April 23, 2021, 6:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELhSîà0Ðî @ @@8îS H.textÎ Ð `.rsrcÒ@@.reloc Ö@BpîHË(#C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe(((*o s ª((%}þ&s (+,(zJ(o s o ( "o ( ( ( ( "( ( (Us%s B("(#2("( B(" è($("s2('( s3"(8sd* request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00015e00', u'virtual_address': u'0x000c8000', u'entropy': 7.203626272143025, u'name': u'.rsrc', u'virtual_size': u'0x00015d18'}

entropy

7.20362627214

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 23, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 23, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (32 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000006a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: AddressBook base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Connection Manager base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: DirectDrawEx base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: EditPlus base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: ENTERPRISE base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Fontcore base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Google Chrome base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: IE40 base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: IE4Data base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: IE5BAKEX base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: IEData base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: MobileOptionPack base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: SchedulingAgent base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: WIC base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000006a8 key_handle: 0x000006ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000006b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: AddressBook base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Connection Manager base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: DirectDrawEx base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: EditPlus base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: ENTERPRISE base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Fontcore base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Google Chrome base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: IE40 base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 23, 2021, 6:20 p.m.	regkey_r: IE4Data base_handle: 0x000006b0 key_handle: 0x000006b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Terminates another process (4 events)

Time & API	Arguments	Status	Return
NtTerminateProcess April 23, 2021, 6:14 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x00000240		0
NtTerminateProcess April 23, 2021, 6:14 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x00000240	1	0
NtTerminateProcess April 23, 2021, 6:14 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x00000240		0
NtTerminateProcess April 23, 2021, 6:14 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x00000240		3221225738

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\sskiper.exe & exit
cmdline	C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\sskiper.exe & exit
cmdline	ping 0

Communicates with host for which no DNS query was performed (1 event)

host

188.119.112.16

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 1512 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2524 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0
NtAllocateVirtualMemory April 23, 2021, 6:20 p.m.	process_identifier: 1596 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 23, 2021, 6:14 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2164 manipulating memory of non-child process 1512
NtUnmapViewOfSection April 23, 2021, 6:14 p.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 1512 process_handle: 0x00000240	3221225497	0
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 1512 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	3221225496	0

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 6:20 p.m.	key_handle: 0x000006b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.8062355a111a77ec
McAfee	Artemis!8062355A111A
Cylance	Unsafe
Cybereason	malicious.7eebd8
APEX	Malicious
ClamAV	Win.Malware.Autoit-9849407-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Sophos	ML/PE-A
Microsoft	Trojan:Win32/Fuerboos.B!cl
Rising	Trojan.Obfus/Autoit!1.C774 (CLASSIC)
eGambit	Unsafe.AI_Score_95%
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_80% (W)

Network activity contains more than one unique useragent (3 events)

process	sskiper.exe	useragent	Approved 1.2/2
process	sskiper.exe	useragent	Installed OK 1.0/3
process	sskiper.exe	useragent	Install Soft Solutions 1.0/3

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2164 called NtSetContextThread to modify thread in remote process 2524
Process injection	Process 2388 called NtSetContextThread to modify thread in remote process 1596
NtSetContextThread April 23, 2021, 6:14 p.m.	registers.eip: 2000355780 registers.esp: 3669552 registers.edi: 0 registers.eax: 4288998 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 2524	1	0	0
NtSetContextThread April 23, 2021, 6:20 p.m.	registers.eip: 2000355780 registers.esp: 2947240 registers.edi: 0 registers.eax: 4289010 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 1596	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 resumed a thread in remote process 2520
Process injection	Process 2164 resumed a thread in remote process 2524
Process injection	Process 2388 resumed a thread in remote process 1596
NtResumeThread April 23, 2021, 6:15 p.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 2520	1	0	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2524	1	0	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 1596	1	0	0

Executed a process and injected code into it, probably while unpacking (48 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 2260 thread_handle: 0x0000024c process_identifier: 1224 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000250	1	1
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 1444 thread_handle: 0x000004e8 process_identifier: 1304 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004ec	1	1
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 2624 thread_handle: 0x000004e0 process_identifier: 2276 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004e4	1	1
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 492 thread_handle: 0x000004ec process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1753875954.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004e8	1	1
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 2768 thread_handle: 0x000004f0 process_identifier: 2220 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004f4	1	1
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 3024 thread_handle: 0x000004f4 process_identifier: 2388 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1464358104.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004f0	1	1
CreateProcessInternalW April 23, 2021, 6:15 p.m.	thread_identifier: 1040 thread_handle: 0x000004e4 process_identifier: 2520 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\sskiper.exe & exit filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtResumeThread April 23, 2021, 6:15 p.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 2520	1	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2164	1	0
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 804 thread_handle: 0x0000023c process_identifier: 1512 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000240	1	1
NtUnmapViewOfSection April 23, 2021, 6:14 p.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 1512 process_handle: 0x00000240		3221225497
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 1512 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
CreateProcessInternalW April 23, 2021, 6:14 p.m.	thread_identifier: 2984 thread_handle: 0x0000023c process_identifier: 2524 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000240	1	1
NtUnmapViewOfSection April 23, 2021, 6:14 p.m.	base_address: 0x00400000 region_size: 1994129408 process_identifier: 2524 process_handle: 0x00000240		3221225497
NtAllocateVirtualMemory April 23, 2021, 6:14 p.m.	process_identifier: 2524 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0
NtGetContextThread April 23, 2021, 6:14 p.m.	thread_handle: 0x0000023c	1	0
NtSetContextThread April 23, 2021, 6:14 p.m.	registers.eip: 2000355780 registers.esp: 3669552 registers.edi: 0 registers.eax: 4288998 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 2524	1	0
NtResumeThread April 23, 2021, 6:14 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x00000674 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 23, 2021, 6:19 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 2388	1	0
CreateProcessInternalW April 23, 2021, 6:20 p.m.	thread_identifier: 1788 thread_handle: 0x00000238 process_identifier: 1596 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000023c	1	1
NtUnmapViewOfSection April 23, 2021, 6:20 p.m.	base_address: 0x00400000 region_size: 1994129408 process_identifier: 1596 process_handle: 0x0000023c		3221225497
NtAllocateVirtualMemory April 23, 2021, 6:20 p.m.	process_identifier: 1596 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0
NtGetContextThread April 23, 2021, 6:20 p.m.	thread_handle: 0x00000238	1	0
NtSetContextThread April 23, 2021, 6:20 p.m.	registers.eip: 2000355780 registers.esp: 2947240 registers.edi: 0 registers.eax: 4289010 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 1596	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 1596	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1596	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1596	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 1596	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 1596	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x00000670 suspend_count: 1 process_identifier: 1596	1	0
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x000005f4 suspend_count: 1 process_identifier: 1596	1	0
CreateProcessInternalW April 23, 2021, 6:20 p.m.	thread_identifier: 1316 thread_handle: 0x00000084 process_identifier: 2908 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 0 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread April 23, 2021, 6:20 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2908	1	0

sskiper.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All