Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 18, 2021, 11:18 a.m.	Aug. 18, 2021, 11:33 a.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0dad0861840cb73b4cefce3dcce28fa5`
SHA256	`37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4`
CRC32	`C71A602B`
ssdeep	`49152:3P+LLajA0Rtg0xD9enMqcKAEVcnidEl4ZquTONy1kH6oVVvkof5XMdXpqzHZa:3Guzg0VYXPVRKl4ZqpvVVvhfGFpe5a`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) themida_packer - themida packer

oy.exe "C:\Users\test22\AppData\Local\Temp\oy.exe"
1608
- bin.exe "C:\Users\test22\AppData\Local\Temp\bin.exe"
  2248

Name	Response	Post-Analysis Lookup
tospititouaromatos.shop	A 157.90.210.32	157.90.210.32

IP Address	Status	Action
157.90.210.32	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 11:18 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2021, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 11:18 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f8bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f8bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f8df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f81f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f8838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f8838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005828b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005828b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 11:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582ff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2021, 11:18 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (17 events)

Time & API	Arguments	Status
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: oy+0x4a9a92 @ 0x1709a92 oy+0x4afeba @ 0x170feba exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 41 9d d0 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 4586300 registers.edi: 19431424 registers.eax: 4586300 registers.ebp: 4586380 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2008380459 registers.ecx: 3897491456	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: exception.instruction_r: ed e9 4b 84 00 00 c3 e9 33 83 f1 ff a3 0d 0a 2e exception.symbol: oy+0x4e95b3 exception.instruction: in eax, dx exception.module: oy.exe exception.exception_code: 0xc0000096 exception.offset: 5150131 exception.address: 0x17495b3 registers.esp: 4586420 registers.edi: 21676579 registers.eax: 1750617430 registers.ebp: 19431424 registers.edx: 8018006 registers.ebx: 19267584 registers.esi: 2539784 registers.ecx: 20	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: exception.instruction_r: ed e9 82 0d 01 00 47 35 02 00 08 f3 ff ff 47 28 exception.symbol: oy+0x4dc130 exception.instruction: in eax, dx exception.module: oy.exe exception.exception_code: 0xc0000096 exception.offset: 5095728 exception.address: 0x173c130 registers.esp: 4586420 registers.edi: 21676579 registers.eax: 1447909480 registers.ebp: 19431424 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 2539784 registers.ecx: 10	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: oy+0x2ce613 @ 0x152e613 mscorlib+0x38cf8b @ 0x7256cf8b mscorlib+0x308c92 @ 0x724e8c92 mscorlib+0x308be1 @ 0x724e8be1 mscorlib+0x308ac5 @ 0x724e8ac5 mscorlib+0x2d4b22 @ 0x724b4b22 microsoft+0x13fd86 @ 0x7110fd86 microsoft+0x13fd55 @ 0x7110fd55 microsoft+0x151999 @ 0x71121999 microsoft+0x13b1f4 @ 0x7110b1f4 0x6e2469 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: f3 a4 e9 00 00 00 00 e9 b0 b2 01 00 8c 00 8c 00 exception.symbol: oy+0x35d874 exception.instruction: movsb byte ptr es:[edi], byte ptr [esi] exception.module: oy.exe exception.exception_code: 0xc0000005 exception.offset: 3528820 exception.address: 0x15bd874 registers.esp: 4581200 registers.edi: 69452424 registers.eax: 8585216 registers.ebp: 4581224 registers.edx: 0 registers.ebx: 0 registers.esi: 19378176 registers.ecx: 8470528	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: oy+0x2ce613 @ 0x152e613 mscorlib+0x38cf8b @ 0x7256cf8b mscorlib+0x308c92 @ 0x724e8c92 mscorlib+0x308be1 @ 0x724e8be1 mscorlib+0x308ac5 @ 0x724e8ac5 mscorlib+0x2d4b22 @ 0x724b4b22 microsoft+0x13fd86 @ 0x7110fd86 microsoft+0x13fd55 @ 0x7110fd55 microsoft+0x151999 @ 0x71121999 microsoft+0x13b1f4 @ 0x7110b1f4 0x6e2469 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: f3 a4 e9 00 00 00 00 e9 44 81 01 00 65 00 00 7d exception.symbol: oy+0x34b690 exception.instruction: movsb byte ptr es:[edi], byte ptr [esi] exception.module: oy.exe exception.exception_code: 0xc0000005 exception.offset: 3454608 exception.address: 0x15ab690 registers.esp: 4581200 registers.edi: 78189192 registers.eax: 8470528 registers.ebp: 4581224 registers.edx: 1990475475 registers.ebx: 0 registers.esi: 28114944 registers.ecx: 524288	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: oy+0x2ce613 @ 0x152e613 mscorlib+0x38cf8b @ 0x7256cf8b mscorlib+0x308c92 @ 0x724e8c92 mscorlib+0x308be1 @ 0x724e8be1 mscorlib+0x308ac5 @ 0x724e8ac5 mscorlib+0x2d4b22 @ 0x724b4b22 microsoft+0x13fd86 @ 0x7110fd86 microsoft+0x13fd55 @ 0x7110fd55 microsoft+0x151999 @ 0x71121999 microsoft+0x13b1f4 @ 0x7110b1f4 0x6e2469 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: f3 a4 e9 00 00 00 00 e9 44 81 01 00 65 00 00 7d exception.symbol: oy+0x34b690 exception.instruction: movsb byte ptr es:[edi], byte ptr [esi] exception.module: oy.exe exception.exception_code: 0xc0000005 exception.offset: 3454608 exception.address: 0x15ab690 registers.esp: 4581200 registers.edi: 78189192 registers.eax: 524288 registers.ebp: 4581224 registers.edx: 1990475475 registers.ebx: 0 registers.esi: 28114944 registers.ecx: 524288	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x6e3ae3 0x6e3a35 0x6e334a 0x6e25c7 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6e3ba9 registers.esp: 4581324 registers.edi: 4581404 registers.eax: 0 registers.ebp: 4581416 registers.edx: 8217648 registers.ebx: 8217648 registers.esi: 53951080 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x6e3ae3 0x6e3a35 0x6e3376 0x6e25c7 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6e3ba9 registers.esp: 4581324 registers.edi: 4581404 registers.eax: 0 registers.ebp: 4581416 registers.edx: 8217648 registers.ebx: 8217648 registers.esi: 53951080 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x6e3ae3 0x6e3a35 0x6e33a2 0x6e25c7 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6e3ba9 registers.esp: 4581324 registers.edi: 4581404 registers.eax: 0 registers.ebp: 4581416 registers.edx: 8217648 registers.ebx: 8217648 registers.esi: 53951080 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x6ea665 0x6e2e9f 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 ac 8b 45 ac 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ea881 registers.esp: 4581460 registers.edi: 4581536 registers.eax: 0 registers.ebp: 4581544 registers.edx: 195 registers.ebx: 8217648 registers.esi: 52534448 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x6ea953 0x6e2ead 0x30a0df system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 ac 8b 45 ac 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ea881 registers.esp: 4581492 registers.edi: 4581568 registers.eax: 0 registers.ebp: 4581576 registers.edx: 195 registers.ebx: 8217648 registers.esi: 52534448 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:19 a.m.	stacktrace: 0xe28511d system+0x1e5c55 @ 0x703f5c55 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a system+0x2093cc @ 0x704193cc system+0x1fdca1 @ 0x7040dca1 system+0x1fd921 @ 0x7040d921 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 ac 8b 45 ac 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ea881 registers.esp: 4582524 registers.edi: 4582600 registers.eax: 0 registers.ebp: 4582608 registers.edx: 195 registers.ebx: 4582884 registers.esi: 52534448 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:20 a.m.	stacktrace: 0xe28511d system+0x1e5c55 @ 0x703f5c55 system+0x1ee170 @ 0x703fe170 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a system+0x2093cc @ 0x704193cc system+0x1fdca1 @ 0x7040dca1 system+0x1fd921 @ 0x7040d921 system+0x1fd792 @ 0x7040d792 system+0x730667 @ 0x70940667 system+0x7555fc @ 0x709655fc system+0x7552b7 @ 0x709652b7 system+0x9515e2 @ 0x70b615e2 system+0x1ee18b @ 0x703fe18b 0x31a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a system+0x2093cc @ 0x704193cc system+0x1fdca1 @ 0x7040dca1 system+0x1fd921 @ 0x7040d921 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x6e010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 ac 8b 45 ac 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ea881 registers.esp: 4576908 registers.edi: 4576984 registers.eax: 0 registers.ebp: 4576992 registers.edx: 195 registers.ebx: 4577268 registers.esi: 52528752 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x8627eb 0x86273d 0x862052 0x8616af 0x40a0cb system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x41a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x86010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8628b1 registers.esp: 3205124 registers.edi: 3205204 registers.eax: 0 registers.ebp: 3205216 registers.edx: 5595000 registers.ebx: 5595000 registers.esi: 39107584 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x8627eb 0x86273d 0x86207e 0x8616af 0x40a0cb system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x41a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x86010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8628b1 registers.esp: 3205124 registers.edi: 3205204 registers.eax: 0 registers.ebp: 3205216 registers.edx: 5595000 registers.ebx: 5595000 registers.esi: 39107584 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x8627eb 0x86273d 0x8620aa 0x8616af 0x40a0cb system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x41a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x86010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8628b1 registers.esp: 3205124 registers.edi: 3205204 registers.eax: 0 registers.ebp: 3205216 registers.edx: 5595000 registers.ebx: 5595000 registers.esi: 39107584 registers.ecx: 0	1
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: 0x861ae0 0x40a0cb system+0x1f9799 @ 0x70409799 system+0x1f92c8 @ 0x704092c8 system+0x1eca74 @ 0x703fca74 system+0x1ec868 @ 0x703fc868 system+0x1f82b8 @ 0x704082b8 system+0x1ee54d @ 0x703fe54d system+0x1f70ea @ 0x704070ea system+0x1e56c0 @ 0x703f56c0 system+0x1f8215 @ 0x70408215 system+0x1f6f75 @ 0x70406f75 system+0x1ee251 @ 0x703fe251 system+0x1ee229 @ 0x703fe229 system+0x1ee170 @ 0x703fe170 0x41a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x703fbc85 system+0x1f683b @ 0x7040683b system+0x1a5e44 @ 0x703b5e44 system+0x1fd8a0 @ 0x7040d8a0 system+0x1fd792 @ 0x7040d792 system+0x72eea0 @ 0x7093eea0 microsoft+0x129f21 @ 0x710f9f21 microsoft+0x12ad86 @ 0x710fad86 microsoft+0x12b191 @ 0x710fb191 0x86010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 ac 8b 45 ac 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x862c41 registers.esp: 3205364 registers.edi: 3205440 registers.eax: 0 registers.ebp: 3205448 registers.edx: 195 registers.ebx: 5595000 registers.esi: 36019272 registers.ecx: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://tospititouaromatos.shop/bot/cosanostra//config.json

Performs some HTTP requests (1 event)

request

GET http://tospititouaromatos.shop/bot/cosanostra//config.json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 171 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a6c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a6d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x770d3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a63000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a68000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76abe000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a65000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7557f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75588000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a47000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

oy.exe tried to sleep 175 seconds, actually delayed analysis time by 175 seconds

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Cookies

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\c5e504606bceb80648bcecb9e1bfe1ee.exe
file	C:\Users\test22\AppData\Local\Temp\bin.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\bin.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\c5e504606bceb80648bcecb9e1bfe1ee.exe
file	C:\Users\test22\AppData\Local\Temp\bin.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 18, 2021, 11:18 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00006def', u'virtual_address': u'0x00002000', u'entropy': 7.967888947564914, u'name': u' ', u'virtual_size': u'0x00018000'}

entropy

7.96788894756

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000508', u'virtual_address': u'0x0001c000', u'entropy': 7.780067063864248, u'name': u' ', u'virtual_size': u'0x000031d0'}

entropy

7.78006706386

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x002f3446', u'virtual_address': u'0x0053c000', u'entropy': 7.961920685031901, u'name': u'.boot', u'virtual_size': u'0x002f3600'}

entropy

7.96192068503

description

A section with a high entropy has been found

entropy

0.995717750976

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 18, 2021, 11:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 18, 2021, 11:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Checks for the presence of known windows from debuggers and forensic tools (50 out of 159 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 18, 2021, 11:18 a.m.	class_name: Filemonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater

reg_value

C:\Users\test22\AppData\Local\Temp\c5e504606bceb80648bcecb9e1bfe1ee.exe / start

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 18, 2021, 11:18 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 18, 2021, 11:18 a.m.	stacktrace: exception.instruction_r: ed e9 82 0d 01 00 47 35 02 00 08 f3 ff ff 47 28 exception.symbol: oy+0x4dc130 exception.instruction: in eax, dx exception.module: oy.exe exception.exception_code: 0xc0000096 exception.offset: 5095728 exception.address: 0x173c130 registers.esp: 4586420 registers.edi: 21676579 registers.eax: 1447909480 registers.ebp: 19431424 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 2539784 registers.ecx: 10	1	0	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Elastic	malicious (high confidence)
Qihoo-360	Win32/TrojanSpy.Generic.HxMBUDsA
ALYac	Trojan.GenericKD.37419619
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.37419619
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.ESLHDHH
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Spy.Win32.Stealer.zwa
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
MicroWorld-eScan	Trojan.GenericKD.37419619
Avast	FileRepMalware
Rising	Trojan.Generic@ML.100 (RDML:5aE7OtFVdnKNK54im+NW+Q)
Ad-Aware	Trojan.GenericKD.37419619
Emsisoft	Trojan.GenericKD.37419619 (B)
DrWeb	Trojan.PWS.Siggen3.2209
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
FireEye	Generic.mg.0dad0861840cb73b
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.Agent
GData	Win32.Trojan.Agent.AXP
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1133632
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Heur!.032100A1
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Acronis	suspicious
McAfee	Artemis!0DAD0861840C
MAX	malware (ai score=89)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Trojan.MalPack.Generic
Tencent	Win32.Trojan-spy.Stealer.Isz
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	PossibleThreat.PALLASNET.H
BitDefenderTheta	Gen:NN.ZexaF.34088.@I1@aaOhOBoi
AVG	FileRepMalware
MaxSecure	Trojan.Malware.300983.susgen

oy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All