Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 9, 2021, 10:14 p.m.	June 9, 2021, 10:22 p.m.

Size	106.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1276e815c54ab13a18f21118dd3c6bbb`
SHA256	`d2d5f495be99faf5dcc31f16b20d08b31802215621595e3ffe3a56a2f69c5817`
CRC32	`2C8149EF`
ssdeep	`1536:W85j51OntvCY0GW/DkhglxD4wlfVeE6QlAy8VB9qgCzn6OF8ZJjpIDv:rH4tvCY0G0jEwlkzrVB0gM6C8Z9pID`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

microsoft.com "C:\Users\test22\AppData\Local\Temp\microsoft.com"
1080
- schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Local\Temp\windows\svchost.exe'"
  2164
- svchost.exe "C:\Users\test22\AppData\Local\Temp\windows\svchost.exe"
  2672

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
ipcheck.servehttp.com	A 41.225.34.198	41.225.34.198

IP Address	Status	Action
104.23.99.190	Active	Moloch
164.124.101.2	Active	Moloch
41.225.34.198	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49202 -> 104.23.99.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54056 -> 164.124.101.2:53	2028694	ET POLICY DNS Query to DynDNS Domain *.servehttp .com	Potentially Bad Traffic
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2028694	ET POLICY DNS Query to DynDNS Domain *.servehttp .com	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49202 104.23.99.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a

Queries for the computername (49 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:14 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 9, 2021, 10:14 p.m.			0	0
IsDebuggerPresent June 9, 2021, 10:14 p.m.			0	0
IsDebuggerPresent June 9, 2021, 10:14 p.m.			0	0
IsDebuggerPresent June 9, 2021, 10:14 p.m.			0	0
IsDebuggerPresent June 9, 2021, 10:14 p.m.			0	0
IsDebuggerPresent June 9, 2021, 10:14 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 9, 2021, 10:14 p.m.	buffer: SUCCESS: The scheduled task "LimeRAT-Admin" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (10 events)

Time & API	Arguments	Status	Return
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060bfc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060bfc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 9, 2021, 10:14 p.m.		1	1	0

One or more processes crashed (24 events)

Time & API	Arguments	Status
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x1ed3fe0 0x1ed415f 0x1ed2c8b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1f20b13 registers.esp: 2944068 registers.edi: 0 registers.eax: 36297536 registers.ebp: 2944068 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x782c8b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72787610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72811dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72811e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72811f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7281416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 1765172 registers.edi: 0 registers.eax: 35445588 registers.ebp: 1765172 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 49 04 39 09 e8 86 6c c4 6f c3 00 00 00 00 00 exception.instruction: mov ecx, dword ptr [ecx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791220 registers.esp: 94892112 registers.edi: 0 registers.eax: 3858200 registers.ebp: 94892240 registers.edx: 0 registers.ebx: 35428780 registers.esi: 35428760 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x7884e4 0x78835a mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 95941960 registers.edi: 0 registers.eax: 35445588 registers.ebp: 95941960 registers.edx: 0 registers.ebx: 35667956 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x7884e4 0x7886b9 mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 97710072 registers.edi: 0 registers.eax: 35445588 registers.ebp: 97710072 registers.edx: 0 registers.ebx: 35676148 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d9 83 c4 6f c3 00 00 00 00 00 00 00 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7913e0 registers.esp: 94891864 registers.edi: 94892096 registers.eax: 3858248 registers.ebp: 94892108 registers.edx: 0 registers.ebx: 35428780 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x78a780 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791433 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 3858256 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x78a7d8 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791483 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 3858264 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x7884e4 0x78b080 0x788b54 mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069016 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069016 registers.edx: 0 registers.ebx: 36270068 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x78b14c 0x78b09a 0x788b54 mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069016 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069016 registers.edx: 0 registers.ebx: 35668748 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x7884e4 0x78b2cb 0x788b6f mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069012 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069012 registers.edx: 0 registers.ebx: 36352264 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x78b14c 0x78b2e4 0x788b6f mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069012 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069012 registers.edx: 0 registers.ebx: 35668748 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x7884e4 0x78b2ed 0x788b6f mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069012 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069012 registers.edx: 0 registers.ebx: 36352264 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x7884e4 0x78b48f 0x788b92 mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069008 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069008 registers.edx: 0 registers.ebx: 36467936 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x78b14c 0x78b4ae 0x788b92 mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069008 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069008 registers.edx: 0 registers.ebx: 35668748 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x783fe0 0x78415f 0x7884e4 0x78b4b7 0x788b92 mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 5d c3 00 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x790b13 registers.esp: 100069008 registers.edi: 0 registers.eax: 35445588 registers.ebp: 100069008 registers.edx: 0 registers.ebx: 36467936 registers.esi: 0 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x78a780 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791433 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35807828 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 35812052 registers.ecx: 0	1
__exception__ June 9, 2021, 10:14 p.m.	stacktrace: 0x78a7d8 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791483 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35809900 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 35812052 registers.ecx: 0	1
__exception__ June 9, 2021, 10:15 p.m.	stacktrace: 0x78a780 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791433 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35807828 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 36258344 registers.ecx: 0	1
__exception__ June 9, 2021, 10:15 p.m.	stacktrace: 0x78a7d8 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791483 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35809900 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 36258344 registers.ecx: 0	1
__exception__ June 9, 2021, 10:15 p.m.	stacktrace: 0x78a780 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791433 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35807828 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 36870816 registers.ecx: 0	1
__exception__ June 9, 2021, 10:15 p.m.	stacktrace: 0x78a7d8 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791483 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35809900 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 36870816 registers.ecx: 0	1
__exception__ June 9, 2021, 10:16 p.m.	stacktrace: 0x78a780 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791433 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35807828 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 37135172 registers.ecx: 0	1
__exception__ June 9, 2021, 10:16 p.m.	stacktrace: 0x78a7d8 0x789e2e mscorlib+0x30c9ff @ 0x6ef8c9ff mscorlib+0x302367 @ 0x6ef82367 mscorlib+0x3022a6 @ 0x6ef822a6 mscorlib+0x302261 @ 0x6ef82261 mscorlib+0x30ca7c @ 0x6ef8ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727607d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72737d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72737dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72737e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x726cc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72760694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x727da0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 5d c3 00 00 00 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x791483 registers.esp: 94891860 registers.edi: 94892096 registers.eax: 35809900 registers.ebp: 94891860 registers.edx: 0 registers.ebx: 35428780 registers.esi: 37135172 registers.ecx: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://pastebin.com/raw/4iEe2RSa

Connects to a Dynamic DNS Domain (1 event)

domain

ipcheck.servehttp.com

Performs some HTTP requests (1 event)

request

GET https://pastebin.com/raw/4iEe2RSa

Allocates read-write-execute memory (usually to unpack itself) (50 out of 77 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 1080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2021, 10:14 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 471 seconds, actually delayed analysis time by 471 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\windows\svchost.exe

Creates a suspicious process (3 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\windows\svchost.exe"
cmdline	schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Local\Temp\windows\svchost.exe'"
cmdline	C:\Users\test22\AppData\Local\Temp\windows\svchost.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\windows\svchost.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\windows\svchost.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 9, 2021, 10:14 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 9, 2021, 10:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 9, 2021, 10:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 9, 2021, 10:14 p.m.	thread_identifier: 2092 thread_handle: 0x000004e0 process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\windows\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\windows\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\windows\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004e8	1	1	0
ShellExecuteExW June 9, 2021, 10:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Local\Temp\windows\svchost.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\windows\svchost.exe	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Local\Temp\windows\svchost.exe'"

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Local\Temp\windows\svchost.exe'"

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\windows\svchost.exe:Zone.Identifier

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

41.225.34.198:433

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.1276e815c54ab13a
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005692dd1 )
Alibaba	Trojan:MSIL/ATRAPS.ca5d1f87
K7GW	Trojan ( 005692dd1 )
Cybereason	malicious.947ebf
BitDefenderTheta	Gen:NN.ZemsilF.34722.giW@aOk0Xmb
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.CWR
TrendMicro-HouseCall	TROJ_GEN.R002H0DEQ21
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Win32.Generic
NANO-Antivirus	Trojan.Win32.Mlw.ivzihm
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Agent.109056.ADQ
Tencent	Win32.Trojan.Generic.Dwjm
McAfee-GW-Edition	BehavesLike.Win32.Generic.cm
Sophos	ML/PE-A
APEX	Malicious
Jiangmin	Trojan.Generic.gwvds
eGambit	Unsafe.AI_Score_99%
Avira	TR/ATRAPS.Gen
Microsoft	Trojan:Win32/Woreflint.A!cl
AegisLab	Trojan.Win32.Generic.4!c
GData	MSIL.Backdoor.LimeBak.CJDXDO
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Genome.C138363
McAfee	RDN/Generic.hbg
VBA32	TScope.Trojan.MSIL
Malwarebytes	Backdoor.LimeRat
Ikarus	Trojan.MSIL.Agent
Yandex	Trojan.Agent!TwD6o/UBaeI
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.CWR!tr
Webroot	W32.Trojan.Gen
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_100% (W)

microsoft.com

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All