popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

XtmkLSmftnsk6TlB.exe

AsyncRAT Antivirus Malicious Library PWS AntiDebug OS Processor Check PE32 PE File .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 11, 2021, 5:41 p.m. June 11, 2021, 5:43 p.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 b4e2699346ce3d5f87374a32403e3464
SHA256 2391b26d23fe9524618b01def4f0d37775efb9dee1d06c7c3927adcd810da40b
CRC32 EEB0C93A
ssdeep 24576:YxMPUnab/wxnxDirBaY7u61XEXr1Tj1vN3IvIfTAhi3P5FooG:03xnxOrBF7u65y1nYcAhi3ro
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • PE_Header_Zero - PE File Signature
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Is_DotNET_EXE - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\Xtmk
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: LSmftnsk6TlB.exe
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\hcKaeuO
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: .exe
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Updates\hcKaeuO" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\hcKaeuO
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: .exe
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\Xtmk
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: LSmftnsk6TlB.exe -Force
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: ft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z9
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: 4kn059G.exe -Force
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043f5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043ff90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043ff90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e7910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005183c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005183c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005183c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005183c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005183c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005183c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005182c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00518500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005dd5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x8e1a26
0x8e11e9
0x8e0d79
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x70589df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x70589e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x70589efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x70589fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x705e564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x705bbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x705bb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x705bb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x705bbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x705bbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x7057cca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x7057cd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x70668841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x705e14e9
mscorlib+0x2d3711 @ 0x6f873711
mscorlib+0x308f2d @ 0x6f8a8f2d
mscorlib+0x2cb060 @ 0x6f86b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x705e1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x705e1737
mscorlib+0x2d36ad @ 0x6f8736ad
mscorlib+0x308f2d @ 0x6f8a8f2d
microsoft+0x50c17 @ 0x72000c17
microsoft+0x3f33f @ 0x71fef33f
microsoft+0x3edf8 @ 0x71feedf8
microsoft+0x3e3b9 @ 0x71fee3b9
0x8e02ba
0x8e007d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 4a 96 f3 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8e1a93
registers.esp: 3856852
registers.edi: 3856872
registers.eax: 0
registers.ebp: 3856884
registers.edx: 40505896
registers.ebx: 3857184
registers.esi: 40505896
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x8e1a38
0x8e11e9
0x8e0d79
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x70589df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x70589e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x70589efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x70589fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x705e564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x705bbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x705bb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x705bb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x705bbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x705bbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x7057cca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x7057cd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x70668841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x705e14e9
mscorlib+0x2d3711 @ 0x6f873711
mscorlib+0x308f2d @ 0x6f8a8f2d
mscorlib+0x2cb060 @ 0x6f86b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x705e1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x705e1737
mscorlib+0x2d36ad @ 0x6f8736ad
mscorlib+0x308f2d @ 0x6f8a8f2d
microsoft+0x50c17 @ 0x72000c17
microsoft+0x3f33f @ 0x71fef33f
microsoft+0x3edf8 @ 0x71feedf8
microsoft+0x3e3b9 @ 0x71fee3b9
0x8e02ba
0x8e007d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70562652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7057264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70572e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x706274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70627610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x706b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x706b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x706b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x706b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 4a 96 f3 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8e1a93
registers.esp: 3856852
registers.edi: 3856872
registers.eax: 0
registers.ebp: 3856884
registers.edx: 110548532
registers.ebx: 3857184
registers.esi: 110548532
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6df12000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063f0178
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063f01a0
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063f01c8
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064cfc1e
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064cfc12
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 72
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063f0208
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064a9520
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064a9544
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064a954c
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064a9550
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064a9558
process_handle: 0xffffffff
3221225550 0

NtProtectVirtualMemory

 process_identifier: 1224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064a955c
process_handle: 0xffffffff
3221225550 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
cmdline schtasks.exe /Create /TN "Updates\hcKaeuO" /XML "C:\Users\test22\AppData\Local\Temp\tmp18D6.tmp"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\nbc38S293k9c4Rf2Yac\svchost.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\nbc38S293k9c4Rf2Yac\svchost.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\hcKaeuO.exe"
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe" -Force
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hcKaeuO" /XML "C:\Users\test22\AppData\Local\Temp\tmp18D6.tmp"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\hcKaeuO.exe"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe"
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\hcKaeuO.exe"
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\hcKaeuO" /XML "C:\Users\test22\AppData\Local\Temp\tmp18D6.tmp"
filepath: schtasks.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\hcKaeuO.exe"
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\nbc38S293k9c4Rf2Yac\svchost.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\nbc38S293k9c4Rf2Yac\svchost.exe" -Force
filepath: powershell
1 1 0
section {u'size_of_data': u'0x00121800', u'virtual_address': u'0x00002000', u'entropy': 7.786607364522296, u'name': u'.text', u'virtual_size': u'0x00121794'} entropy 7.78660736452 description A section with a high entropy has been found
entropy 0.983439490446 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
cmdline schtasks.exe /Create /TN "Updates\hcKaeuO" /XML "C:\Users\test22\AppData\Local\Temp\tmp18D6.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hcKaeuO" /XML "C:\Users\test22\AppData\Local\Temp\tmp18D6.tmp"
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2608
region_size: 3563520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003a0
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G reg_value C:\Windows\Resources\Themes\aero\Shell\nbc38S293k9c4Rf2Yac\svchost.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL­{{à" 0þ5 Î6 6@ `6@…t6W 6@6  H.textÔü5 þ5 `.rsrc 66@@.reloc @66@B
base_address: 0x00400000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

WriteProcessMemory

 buffer:  €8€P€h€ €  6tä&6êät4VS_VERSION_INFO½ïþRÔØRÔØ?ÔStringFileInfo°040904e4r-Comments˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨„2CompanyName˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨ Inc.‚-FileDescription˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨<FileVersion2.850.472.468LLegalCopyrightAll Rights Reserved‚1InternalName˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨.exe‚-LegalTrademarks˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨Š1OriginalFilename˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨.exez-ProductName˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨@ProductVersion2.850.472.468DAssembly Version2.850.472.468DVarFileInfo$Translation<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>PA
base_address: 0x00762000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

WriteProcessMemory

 buffer: 6 Ð<
base_address: 0x00764000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2608
process_handle: 0x000003a0
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL­{{à" 0þ5 Î6 6@ `6@…t6W 6@6  H.textÔü5 þ5 `.rsrc 66@@.reloc @66@B
base_address: 0x00400000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0
Process injection Process 1224 called NtSetContextThread to modify thread in remote process 2608
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 7740622
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003bc
process_identifier: 2608
1 0 0
Process injection Process 1224 resumed a thread in remote process 2608
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000003bc
suspend_count: 1
process_identifier: 2608
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
description attempts to disable user access control registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1224
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1224
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 1224
1 0 0

NtResumeThread

 thread_handle: 0x0000025c
suspend_count: 1
process_identifier: 1224
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 1224
1 0 0

CreateProcessInternalW

 thread_identifier: 1512
thread_handle: 0x000003e8
process_identifier: 2084
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003f0
1 1 0

CreateProcessInternalW

 thread_identifier: 1304
thread_handle: 0x000003a0
process_identifier: 2416
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\hcKaeuO.exe"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003dc
1 1 0

CreateProcessInternalW

 thread_identifier: 2972
thread_handle: 0x00000394
process_identifier: 2948
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hcKaeuO" /XML "C:\Users\test22\AppData\Local\Temp\tmp18D6.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003f0
1 1 0

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x00000394
process_identifier: 2780
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\hcKaeuO.exe"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000040c
1 1 0

CreateProcessInternalW

 thread_identifier: 412
thread_handle: 0x000003bc
process_identifier: 2608
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000003a0
1 1 0

NtGetContextThread

 thread_handle: 0x000003bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2608
region_size: 3563520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003a0
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL­{{à" 0þ5 Î6 6@ `6@…t6W 6@6  H.textÔü5 þ5 `.rsrc 66@@.reloc @66@B
base_address: 0x00400000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

WriteProcessMemory

 buffer:  €8€P€h€ €  6tä&6êät4VS_VERSION_INFO½ïþRÔØRÔØ?ÔStringFileInfo°040904e4r-Comments˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨„2CompanyName˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨ Inc.‚-FileDescription˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨<FileVersion2.850.472.468LLegalCopyrightAll Rights Reserved‚1InternalName˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨.exe‚-LegalTrademarks˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨Š1OriginalFilename˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨.exez-ProductName˜¨g¨”¨g¨b¨u¨¨c¨c¨g¨b¨h¨w¨d¨d¨—¨i¨~¨›¨k¨g¨{¨g¨˜¨ª¨ƒ¨˜¨Œ¨•¨f¨“¨|¨¨Š¨‚¨h¨c¨b¨|¨—¨z¨j¨‚¨™¨@ProductVersion2.850.472.468DAssembly Version2.850.472.468DVarFileInfo$Translation<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>PA
base_address: 0x00762000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

WriteProcessMemory

 buffer: 6 Ð<
base_address: 0x00764000
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2608
process_handle: 0x000003a0
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 7740622
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003bc
process_identifier: 2608
1 0 0

NtResumeThread

 thread_handle: 0x000003bc
suspend_count: 1
process_identifier: 2608
1 0 0

NtResumeThread

 thread_handle: 0x00000404
suspend_count: 1
process_identifier: 1224
1 0 0

NtResumeThread

 thread_handle: 0x00000294
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x00000444
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x000004a4
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x00000298
suspend_count: 1
process_identifier: 2416
1 0 0

NtResumeThread

 thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 2416
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2416
1 0 0

NtResumeThread

 thread_handle: 0x000004a8
suspend_count: 1
process_identifier: 2416
1 0 0

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x00000454
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x000004b8
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2608
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2608
1 0 0

NtResumeThread

 thread_handle: 0x000001c4
suspend_count: 1
process_identifier: 2608
1 0 0

NtResumeThread

 thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2608
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2608
1 0 0

CreateProcessInternalW

 thread_identifier: 2432
thread_handle: 0x000003c4
process_identifier: 2364
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003cc
1 1 0

CreateProcessInternalW

 thread_identifier: 2180
thread_handle: 0x0000039c
process_identifier: 1124
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003cc
1 1 0

CreateProcessInternalW

 thread_identifier: 2576
thread_handle: 0x00000284
process_identifier: 3032
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d0
1 1 0

CreateProcessInternalW

 thread_identifier: 1488
thread_handle: 0x0000039c
process_identifier: 1364
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003c4
1 1 0

CreateProcessInternalW

 thread_identifier: 2828
thread_handle: 0x00000410
process_identifier: 236
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe"
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d40985x850f7J2xq4181rcOfck8XYgbzLp35d2z94kn059G.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000042c
1 1 0

CreateProcessInternalW

 thread_identifier: 2920
thread_handle: 0x00000424
process_identifier: 604
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\nbc38S293k9c4Rf2Yac\svchost.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000043c
1 1 0

CreateProcessInternalW

 thread_identifier: 1320
thread_handle: 0x00000428
process_identifier: 1556
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\XtmkLSmftnsk6TlB.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000438
1 1 0

CreateProcessInternalW

 thread_identifier: 2100
thread_handle: 0x00000434
process_identifier: 2164
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\nbc38S293k9c4Rf2Yac\svchost.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000043c
1 1 0

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 2364
1 0 0
Cynet Malicious (score: 99)
McAfee PWS-FCXD!B4E2699346CE
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Backdoor.MSIL.Androm.gen
K7AntiVirus Trojan ( 0057dccf1 )
BitDefender Trojan.GenericKD.46460655
K7GW Trojan ( 0057dccf1 )
Arcabit Trojan.Generic.D2C4EEEF
Cyren W32/MSIL_Agent.CAE.gen!Eldorado
ESET-NOD32 a variant of MSIL/Kryptik.ABJN
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Backdoor.MSIL.Androm.gen
Alibaba Backdoor:MSIL/AgentTesla.e934e1c9
ViRobot Trojan.Win32.Z.Packednet.1206272
AegisLab Trojan.MSIL.Androm.m!c
MicroWorld-eScan Trojan.GenericKD.46460655
Rising Trojan.Kryptik/MSIL!1.D720 (CLASSIC)
Ad-Aware Trojan.GenericKD.46460655
Emsisoft Trojan.Formbook (A)
DrWeb Trojan.PackedNET.832
TrendMicro Backdoor.MSIL.ANDROM.USMANF921
FireEye Trojan.GenericKD.46460655
MaxSecure Trojan.Malware.300983.susgen
Avira TR/Kryptik.moqnc
Gridinsoft Trojan.Win32.Packed.dd!n
Microsoft Trojan:MSIL/AgentTesla.BHT!MTB
GData MSIL.Trojan.PSE.1XSW3H7
AhnLab-V3 Malware/Win.Generic.C4521540
Malwarebytes Trojan.Crypt.MSIL
Panda Trj/GdSda.A
TrendMicro-HouseCall Backdoor.MSIL.ANDROM.USMANF921
Ikarus Trojan.MSIL.Inject
Fortinet MSIL/Kryptik.ABJN!tr
Webroot W32.Trojan.Gen
AVG Win32:MalwareX-gen [Trj]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_60% (W)