Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 13, 2021, 9:28 a.m.	July 13, 2021, 9:36 a.m.

Size	919.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ccffa416d71ae9cec2a09136a87a656e`
SHA256	`5750ac496c4e8a62e2f46af468ec5a2fdbfd9e13c681644f5d1f2269e3458aad`
CRC32	`6E1238C4`
ssdeep	`12288:rrmbo+xNsxvOmQO+tOJv21H7AwQLlvxiBBbqMSJXiuXZX/6B0cev5:riEENs4mQO+Q+Z8wQLlvxiGMSNbd/66`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

QoVOGG.exe "C:\Users\test22\AppData\Local\Temp\QoVOGG.exe"
2428
netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe" "AddInProcess32.exe" ENABLE
2996

Name	Response	Post-Analysis Lookup
www.google.com	A 216.58.220.196	142.250.196.132

IP Address	Status	Action
13.107.21.200	Active	Moloch
164.124.101.2	Active	Moloch
194.5.98.210	Active	Moloch
216.58.220.196	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 13, 2021, 9:28 a.m.			0	0
IsDebuggerPresent July 13, 2021, 9:28 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA July 13, 2021, 9:28 a.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA July 13, 2021, 9:28 a.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 13, 2021, 9:28 a.m.		1	1	0

One or more processes crashed (27 events)

Time & API	Arguments	Status
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125028 registers.esi: 37128112 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125136 registers.esi: 37153680 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125244 registers.esi: 37160904 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125352 registers.esi: 37168128 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125460 registers.esi: 37175352 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125568 registers.esi: 37182576 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125676 registers.esi: 37189800 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125784 registers.esi: 37197024 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37125892 registers.esi: 37204256 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126000 registers.esi: 37211488 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126108 registers.esi: 37218720 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126216 registers.esi: 37225944 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126324 registers.esi: 37233168 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126432 registers.esi: 37240400 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126540 registers.esi: 37247632 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126648 registers.esi: 37254856 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126756 registers.esi: 37262088 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126864 registers.esi: 37269312 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37126972 registers.esi: 37276536 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127080 registers.esi: 37283760 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127188 registers.esi: 37290984 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127296 registers.esi: 37298216 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127404 registers.esi: 37305440 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127512 registers.esi: 37312672 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127620 registers.esi: 37319904 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127728 registers.esi: 37327128 registers.ecx: 1917865262	1
__exception__ July 13, 2021, 9:28 a.m.	stacktrace: 0x872eca 0x872c30 0x872799 0x870162 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x740b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x740c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x740c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74177610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74201dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74201e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74201f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7420416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7475f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 89 45 c8 83 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c18 registers.esp: 3600156 registers.edi: 37128816 registers.eax: 0 registers.ebp: 3600244 registers.edx: 0 registers.ebx: 37127836 registers.esi: 37334360 registers.ecx: 1917865262	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (2 events)

request	GET https://www.google.com/
request	GET https://www.bing.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 89 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740b2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00873000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00874000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00875000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0529f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00876000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00877000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00878000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eca2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00879000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05291000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05880400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05873000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05874000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05875000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 13, 2021, 9:28 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 13, 2021, 9:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	13.107.21.200
host	194.5.98.210

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2776 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000684	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 13, 2021, 9:28 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

QoVOGG.exe tried to sleep 8184529 seconds, actually delayed analysis time by 8184529 seconds

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 manipulating memory of non-child process 2776
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2776 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000684	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 injected into non-child 2776
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELéi"`àV~t @ @0tK H.textT V `.relocX@B base_address: 0x00400000 process_identifier: 2776 process_handle: 0x00000684	1	1	0
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: p4 base_address: 0x00408000 process_identifier: 2776 process_handle: 0x00000684	1	1	0
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2776 process_handle: 0x00000684	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 injected into non-child 2776
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELéi"`àV~t @ @0tK H.textT V `.relocX@B base_address: 0x00400000 process_identifier: 2776 process_handle: 0x00000684	1	1	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.ccffa416d71ae9ce
McAfee	Artemis!CCFFA416D71A
Cylance	Unsafe
BitDefenderTheta	Gen:NN.ZemsilF.34790.5m0@aW2Nygl
Cyren	W32/MSIL_Kryptik.CWX.gen!Eldorado
Symantec	MSIL.Packed.2
ESET-NOD32	a variant of MSIL/GenKryptik.FHMC
APEX	Malicious
Kaspersky	UDS:Backdoor.MSIL.Bladabindi.gen
Avast	Win32:TrojanX-gen [Trj]
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/AgentTesla!ml
Malwarebytes	Trojan.MZCrypt.MSIL.Generic
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ABWU!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_80% (W)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 called NtSetContextThread to modify thread in remote process 2776
NtSetContextThread July 13, 2021, 9:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4224126 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000680 process_identifier: 2776	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\QoVOGG.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 resumed a thread in remote process 2776
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000680 suspend_count: 1 process_identifier: 2776	1	0	0

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000624 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000648 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000668 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 2428	1	0
CreateProcessInternalW July 13, 2021, 9:28 a.m.	thread_identifier: 2780 thread_handle: 0x00000680 process_identifier: 2776 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000684	1	1
NtGetContextThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000680	1	0
NtAllocateVirtualMemory July 13, 2021, 9:28 a.m.	process_identifier: 2776 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000684	1	0
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELéi"`àV~t @ @0tK H.textT V `.relocX@B base_address: 0x00400000 process_identifier: 2776 process_handle: 0x00000684	1	1
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: base_address: 0x00402000 process_identifier: 2776 process_handle: 0x00000684	1	1
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: p4 base_address: 0x00408000 process_identifier: 2776 process_handle: 0x00000684	1	1
WriteProcessMemory July 13, 2021, 9:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2776 process_handle: 0x00000684	1	1
NtSetContextThread July 13, 2021, 9:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4224126 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000680 process_identifier: 2776	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000680 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 13, 2021, 9:28 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2996	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (19 events)

dead_host	192.168.56.102:49172
dead_host	192.168.56.102:49167
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49171
dead_host	192.168.56.102:49180
dead_host	192.168.56.102:49175
dead_host	194.5.98.210:4040
dead_host	192.168.56.102:49179
dead_host	192.168.56.102:49170
dead_host	192.168.56.102:49183
dead_host	192.168.56.102:49174
dead_host	192.168.56.102:49178
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49169
dead_host	192.168.56.102:49173
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49168
dead_host	192.168.56.102:49181

QoVOGG.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All