Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 9, 2021, 8:48 a.m.	Sept. 9, 2021, 8:50 a.m.

Size	774.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`68038cd6686e726c8d5fcfdf5b62d37a`
SHA256	`b70ee93e9f63d90785264d45dae48012a1d00b92f63c21ccae0f5d2003c00554`
CRC32	`67212C91`
ssdeep	`6144:5CZ5dEs7ZrwziKYDZ2/avaYvqfbUacyHeP/hz0Xkb5fjUOCMXjqfZPFVb/4rr7ZG:QZ5l7ZrwzLCMHHi5rUlI64rimoAryZV`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe "C:\Users\test22\AppData\Local\Temp\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe"
1188

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.130.233

IP Address	Status	Action
162.159.133.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.102:49165 162.159.133.233:443	None	None	None

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (50 out of 124 events)

Time & API	Arguments	Status
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x77b3ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x77b3af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633052 registers.edi: 1633140 registers.eax: 23117 registers.ebp: 1633112 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633176 registers.edi: 1633272 registers.eax: 23117 registers.ebp: 1633236 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008264192	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x77b1317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x77b2199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x77b2193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1633068 registers.edi: 1633156 registers.eax: 23117 registers.ebp: 1633128 registers.edx: 0 registers.ebx: 0 registers.esi: 32178176 registers.ecx: 1633024	1
__exception__ Sept. 9, 2021, 8:48 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x77b0f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x77b0f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x77b2176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x77b3af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x77b218ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x77b2174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77b23e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x75673b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7557db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74b07322 0x1eb603b 0x1eb4117 0x1eb4204 rfq-order_sheet#43254363-sept-21_signed-copy+0x5e13e @ 0x45e13e rfq-order_sheet#43254363-sept-21_signed-copy+0x5e805 @ 0x45e805 rfq-order_sheet#43254363-sept-21_signed-copy+0x4053 @ 0x404053 rfq-order_sheet#43254363-sept-21_signed-copy+0x40bb @ 0x4040bb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x77b0f4ef registers.esp: 1632920 registers.edi: 1633016 registers.eax: 23117 registers.ebp: 1632980 registers.edx: 0 registers.ebx: 32178176 registers.esi: 32178176 registers.ecx: 2008160768	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://cdn.discordapp.com/attachments/882500353277440002/884667347179290624/Gfheqsvbpflgztewtogykmnjkcghbqv

Allocates read-write-execute memory (usually to unpack itself) (50 out of 8196 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10610000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10620000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10630000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10640000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10650000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10710000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10730000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10750000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10770000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10870000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10880000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\Libraries\Gfheqsv\Gfheqsv.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01eb1000 process_handle: 0xffffffff	1	0	0

Allocates execute permission to another process indicative of possible code injection (50 out of 8204 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10610000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10620000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10630000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10640000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10650000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10710000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10730000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10750000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10770000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10870000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10880000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10890000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x108a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Gfheqsv

reg_value

C:\Users\Public\Libraries\vsqehfG.url

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1188 created a remote thread in non-child process 0
CreateRemoteThread Sept. 9, 2021, 8:48 a.m.	thread_identifier: 14 process_identifier: 0 function_address: 0x00000000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000000	0	0
CreateRemoteThread Sept. 9, 2021, 8:48 a.m.	thread_identifier: 12 process_identifier: 0 function_address: 0x00000000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000000	0	0
CreateRemoteThread Sept. 9, 2021, 8:48 a.m.	thread_identifier: 805371904 process_identifier: 0 function_address: 0x00000000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000000	0	0

Manipulates memory of a non-child process indicative of process injection (50 out of 8205 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1188 manipulating memory of non-child process 0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10610000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10620000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10630000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10640000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10650000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x106f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10710000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10730000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10750000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10770000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x107f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10870000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10880000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 0 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10890000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000	3221225480	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1188 injected into non-child 0
WriteProcessMemory Sept. 9, 2021, 8:48 a.m.	buffer: >²>(o,âI\|è=%üýDm}ðýDp}üýDÀè=%Ø ÈÝDXl´èPPdüÐlüØcü\cüpcü¤cüÜbücü\|bü¬bü@büÌ±Ê²ÊÃp¼$þDè?\|üýD base_address: 0x00000000 process_identifier: 0 process_handle: 0x00000000		0	0

Network activity contains more than one unique useragent (2 events)

process	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe				useragent	zipo
process	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe				useragent	aswe

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.Win32.Remcos.m!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37548366
FireEye	Generic.mg.68038cd6686e726c
McAfee	RDN/Generic.grp
Cylance	Unsafe
K7AntiVirus	Trojan ( 0053ac2c1 )
Alibaba	Backdoor:Win32/DelfInject.54e70775
K7GW	Trojan ( 0053ac2c1 )
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/Delf.XFIT-1771
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Rescoms.B
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	Trojan.GenericKD.37548366
Avast	Win32:RATX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37548366
Emsisoft	Trojan.GenericKD.37548366 (B)
DrWeb	Trojan.DownLoader42.37305
McAfee-GW-Edition	RDN/Generic.grp
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_95%
Microsoft	Trojan:Win32/DelfInject.VAM!MTB
GData	Trojan.GenericKD.37548366
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4626128
BitDefenderTheta	AI:Packer.C0BF90BD18
ALYac	Trojan.GenericKD.37548366
MAX	malware (ai score=82)
VBA32	Backdoor.Remcos
Malwarebytes	Trojan.MalPack.SMY.Generic
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EQAC!tr
Webroot	W32.Trojan.Gen
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.1ed572

RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All