popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

asdfg.exe

Gen1 Generic Malware UPX Malicious Packer HTTP PWS ScreenShot KeyLogger Http API Internet API DNS Steal credential Socket .NET EXE PE File OS Processor Check PE32 AntiVM AntiDebug DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 4, 2021, 3:22 p.m. Nov. 4, 2021, 3:24 p.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 2df827a178fcfa149a64046339868665
SHA256 d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
CRC32 09B3E337
ssdeep 24576:1FC4x1nvqSJipXrPZ+FBxEai7Hj0WcZbkHG3t8x9tj6:a0niSmXrPYFn3iX0WcZwet8x
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Name Response Post-Analysis Lookup
telegraf.top
colonna.ac.ug
A 185.215.113.77
185.215.113.77
t.me
A 149.154.167.99
149.154.167.99
toptelete.top
telegalive.top
colonna.ug
A 185.215.113.77
185.215.113.77
IP Address Status Action
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
185.215.113.77 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.215.113.77:80 -> 192.168.56.103:49173 2400024 ET DROP Spamhaus DROP Listed Traffic Inbound group 25 Misc Attack
TCP 185.215.113.77:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 149.154.167.99:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.215.113.77:80 -> 192.168.56.103:49170 2029138 ET MALWARE AZORult v3.3 Server Response M3 Malware Command and Control Activity Detected
TCP 149.154.167.99:443 -> 192.168.56.103:49186 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49187 -> 149.154.167.99:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49188 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 149.154.167.99:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.103:60117 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.103:49176 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 149.154.167.99:443 -> 192.168.56.103:49184 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
UDP 192.168.56.103:51958 -> 8.8.8.8:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 149.154.167.99:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49183 -> 149.154.167.99:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49180 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.103:49182 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a5ed0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a5ed0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a6bd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9120
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9120
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9d20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00408540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00408540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00408440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x21deab5
0x21dea2a
0x21dc392
0x21d656b
0x21d8f42
0x6bd91b
0x6becbf
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737
mscorlib+0x2d3711 @ 0x722a3711
mscorlib+0x308f2d @ 0x722d8f2d
0x6b01e8
0x6b0089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2025976
registers.edi: 1987043272
registers.eax: 10354688
registers.ebp: 2026180
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x21deab5
0x21dea2a
0x21dc392
0x21d656b
0x21d8f42
0x6bd91b
0x6becbf
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737
mscorlib+0x2d3711 @ 0x722a3711
mscorlib+0x308f2d @ 0x722d8f2d
0x6b01e8
0x6b0089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2025976
registers.edi: 1987043272
registers.eax: 10223616
registers.ebp: 2026180
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 4194304
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 983040
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 15335424
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 4194304
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 983040
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 15335424
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 4194304
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 983040
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0xaedb9d
0xaedb12
0xaeb4b0
0xae5deb
0xae84f7
0x59d5bb
0x59e7f0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72971838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72971737
mscorlib+0x2d3711 @ 0x71c03711
mscorlib+0x308f2d @ 0x71c38f2d
0x5901e8
0x590089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74017f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74014de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 4647252
registers.edi: 1987043272
registers.eax: 15335424
registers.ebp: 4647456
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x22cc77d
0x22cc6f2
0x22ca525
0x22c5bdb
0x22c7532
0x75d7cb
0x75e617
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722d1737
mscorlib+0x2d3711 @ 0x71563711
mscorlib+0x308f2d @ 0x71598f2d
0x7501e8
0x750089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72262e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72317610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dcf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73b37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73b34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2747548
registers.edi: 1987043272
registers.eax: 4194304
registers.ebp: 2747752
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x22cc77d
0x22cc6f2
0x22ca525
0x22c5bdb
0x22c7532
0x75d7cb
0x75e617
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722d1737
mscorlib+0x2d3711 @ 0x71563711
mscorlib+0x308f2d @ 0x71598f2d
0x7501e8
0x750089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72262e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72317610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dcf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73b37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73b34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2747548
registers.edi: 1987043272
registers.eax: 4194304
registers.ebp: 2747752
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x22cc77d
0x22cc6f2
0x22ca525
0x22c5bdb
0x22c7532
0x75d7cb
0x75e617
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722d1737
mscorlib+0x2d3711 @ 0x71563711
mscorlib+0x308f2d @ 0x71598f2d
0x7501e8
0x750089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72262e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72317610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dcf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73b37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73b34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2747548
registers.edi: 1987043272
registers.eax: 9961472
registers.ebp: 2747752
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x22cc77d
0x22cc6f2
0x22ca525
0x22c5bdb
0x22c7532
0x75d7cb
0x75e617
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722d1737
mscorlib+0x2d3711 @ 0x71563711
mscorlib+0x308f2d @ 0x71598f2d
0x7501e8
0x750089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72262e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72317610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dcf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73b37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73b34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2747548
registers.edi: 1987043272
registers.eax: 4194304
registers.ebp: 2747752
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x22cc77d
0x22cc6f2
0x22ca525
0x22c5bdb
0x22c7532
0x75d7cb
0x75e617
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722d1737
mscorlib+0x2d3711 @ 0x71563711
mscorlib+0x308f2d @ 0x71598f2d
0x7501e8
0x750089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72262e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72317610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dcf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73b37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73b34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2747548
registers.edi: 1987043272
registers.eax: 4194304
registers.ebp: 2747752
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x22cc77d
0x22cc6f2
0x22ca525
0x22c5bdb
0x22c7532
0x75d7cb
0x75e617
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722d1737
mscorlib+0x2d3711 @ 0x71563711
mscorlib+0x308f2d @ 0x71598f2d
0x7501e8
0x750089
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72252652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7226264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72262e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72317610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dcf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73b37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73b34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2747548
registers.edi: 1987043272
registers.eax: 9961472
registers.ebp: 2747752
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0
suspicious_features POST method with no referer header suspicious_request POST http://colonna.ug/index.php
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://colonna.ac.ug/softokn3.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://colonna.ac.ug/sqlite3.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://colonna.ac.ug/freebl3.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://colonna.ac.ug/mozglue.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://colonna.ac.ug/msvcp140.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://colonna.ac.ug/nss3.dll
request POST http://colonna.ug/index.php
request POST http://colonna.ac.ug/softokn3.dll
request POST http://colonna.ac.ug/sqlite3.dll
request POST http://colonna.ac.ug/freebl3.dll
request POST http://colonna.ac.ug/mozglue.dll
request POST http://colonna.ac.ug/msvcp140.dll
request POST http://colonna.ac.ug/nss3.dll
request POST http://colonna.ug/index.php
request POST http://colonna.ac.ug/softokn3.dll
request POST http://colonna.ac.ug/sqlite3.dll
request POST http://colonna.ac.ug/freebl3.dll
request POST http://colonna.ac.ug/mozglue.dll
request POST http://colonna.ac.ug/msvcp140.dll
request POST http://colonna.ac.ug/nss3.dll
domain toptelete.top description Generic top level domain TLD
domain telegraf.top description Generic top level domain TLD
domain telegalive.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2348
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2348
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73942000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00432000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00565000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00567000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00556000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006be000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007cf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021dd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021de000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021df000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b20000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728f2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00342000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs
file C:\Users\test22\AppData\Local\Temp\Rmfigo.vbs
file C:\ProgramData\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
file C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
file C:\ProgramData\freebl3.dll
file C:\ProgramData\mozglue.dll
file C:\ProgramData\softokn3.dll
file C:\Users\test22\AppData\Local\Temp\Rmfigo.vbs
file C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
file C:\Users\test22\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs
file C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
file C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
file C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!  ¶b—¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê˜=Sv? à! ÐàXà` 8à  °˜ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$­ð®æ@@@.bss˜ €@À.edata˜°”@0@.idataL Ð ®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63„ °8@B/77” À F@B/89ÐR
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/„‘AV„‘AV„‘AVéÒVˆ‘AV]ó@W†‘AV1†V…‘AV]óBW€‘AV]óDW‘AV]óEW‘AV¦ñ@W€‘AVOò@W‡‘AV„‘@V֑AVOòBW†‘AVOòEWÀ‘AVOòAW…‘AVOò¾V…‘AVOòCW…‘AVRich„‘AVPELØbë[à"!  Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTˆâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ã£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!  z†à‚@3@A@Àt´Þ, xúÐ0h ¹TT¹h¸@ôl¾€.textÊxz `.rdata^ef~@@.data¼ ä@À.didat8æ@À.rsrcx è@@.reloch 0ì@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ•©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!  ‚P±  Ðaz@AðC‚ÏôR,€øx8?4:ðf8È(@Pð˜@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø€8@@.reloc4:<<@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#ƒ4ŒgâZßgâZßgâZßnšÉßsâZß¾€[ÞeâZßùBßcâZß¾€YÞjâZß¾€_ÞmâZß¾€^ÞlâZßE‚[ÞoâZ߬[ÞdâZßgâ[ߐâZ߬^ÞmãZ߬ZÞfâZ߬¥ßfâZ߬XÞfâZßRichgâZßPEL­bë[à"!  êwð@·»@ˆ ˆ=T°pæÐÀ}p—Tȗ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00117c00', u'virtual_address': u'0x00002000', u'entropy': 7.796342932288292, u'name': u'.text', u'virtual_size': u'0x00117b4c'} entropy 7.79634293229 description A section with a high entropy has been found
section {u'size_of_data': u'0x00007600', u'virtual_address': u'0x0011a000', u'entropy': 7.857715662143321, u'name': u'.rsrc', u'virtual_size': u'0x00007480'} entropy 7.85771566214 description A section with a high entropy has been found
entropy 0.99956483899 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://ip-api.com/json
url https://dotbit.me/a/
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Steal credential rule local_credential_Steal
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Win32 PWS Loki rule Win32_PWS_Loki_Zero
description Communications over HTTP rule Network_HTTP
description Run a KeyLogger rule KeyLogger
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2856
process_handle: 0x0000034c
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2856
process_handle: 0x0000034c
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2896
process_handle: 0x000003b0
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2896
process_handle: 0x000003b0
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2336
process_handle: 0x00000234
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2336
process_handle: 0x00000234
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 593920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000354
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2856
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000350
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2896
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000340
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000358
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2336
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2404
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000228
1 0 0
Process injection Process 2680 manipulating memory of non-child process 2856
Process injection Process 2680 manipulating memory of non-child process 2896
Process injection Process 3064 manipulating memory of non-child process 2336
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2856
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000350
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2896
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000340
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2336
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌXH\ˆ9&ˆ9&ˆ9&ÓQ%™9&ÓQ#49&ÓQ!‰9&ÚL"›9&ÚL%9&ÚL#Ç9&ÓQ"‘9&ÓQ ‰9&ÓQ'“9&ˆ9'|9&ÐL/‡9&ÐL$‰9&Richˆ9&PELÎöeaà ’B¾é°@ @ *°|RØÃ8Ä@°´.textߑ’ `.rdataŽ°’–@@.datah[PL(@À.reloc|R°Tt@B
base_address: 0x00400000
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜$„¦°@@Оà\CODE°–˜ `DATAl°œ@ÀBSSÅÀ¤À.idatažÐ¤@À.reloc\à¬@PÄ@P
base_address: 0x00400000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: @2‹À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@Error‹ÀRuntime error at 00000000‹À0123456789ABCDEFÿÿÿÿàO@‹À‹À@@J7<äºÏ¿}ªiFîµä[Jú-EœÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖؖáveÛe3ôs>v÷†E±Yêá)­Vû˜Ar5d2Š'òÂØMY‰ pê5ù©ñÌ-þ+~•R¶Ö”æÐvMºoß3 v§·5v…ÅÞƒ¸`‡6©¤á þáx.¢WŽ‹ï)b!ò²jíïz´Ì·|X—¸q/Õæ?dEzãîs£‹3Ãhp>4Ǝ7èˆJ|—úðØèëá¾iAò¡úèÌ3áHþ‰‡ˆíG\†rgã@À Œ¥[\ë¸?áRÃénS ÑÒ-´¼;ÐÍñ[MQ¶SEvr]‚`„U¥’ÝêŽ(èú†mü'~àÖ.‘ÚÅÂÅÈ3Â%G°’j°Uî½S:Ì¦æä[½V€¿v™z½åÁL}¸<ÿ,9ŠÞýžV_‹ƒ:Â9 ‘牽˜W‡ù™ÙÔەoŸSûËۓ`Qé6ñ¡àw—Ëm¥Anm'o-”°aÃе1ä¨ 5[þ'Çè ©Ð¦¿q ¤ÞÆ +ºê$›gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ*<A…æ>5²+X2`*ÿ0e¢÷¼Aâ@ŽPD„%ÌÐÒ:¨»eŠfk®Z‹¨ÃÌPÒÕ*”cÕéN{» “¨¤…¦b«?O±óÝ0ZR‡ÔžèÌÚÃOË©¤×`TwR\ŽÀàÄËÃÐÃsS¦@O±j¹ ›}¢ì J˜g_ÍYljò‘ ˜@Ž'”¸…PÂZ°)zˆãp>cƒŒXgǼ|½\ÏODn…á)ü7Lôû8ažŒ³Ô´:3ªÆô딛¥ø‘GgPnº1½·Õ“Ô^)õ/2{ۘ¸<T¾i#©È7ný_Fû^îˆnB!ôëäRÛc-dèmàÇ«>WÆÄN䨂«$há:_p”$Öd^}QÏ ˜kï8áeÏÌË%VŒ¿âFNØ\ðø•G;æ1Èy¤SÇ,•„°!#fñŽ‰Äþ j®Þ Ø|íälçÇ+Æڏ E—Å Å$ŒÜ›¶Dë Í!kù,ú"dlQ(° ÇMIÎ,p#°)]”ÕÙ9i-0‚àl&‘®ª!YіoPÝ+¾‡9•}\±¡©Ù.¿4#D.•§×è¼R I±£ç— 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ*_h:÷Ù ‡æÄ £ 8 c+-’û2_öš0ýcQò¸ dt‰µ+ûÞ™¸¦åð‰#t êqêR(PY» ïÀ(¢#ÓϘÆ”ÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆA„ÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°A”ÇAÇAˆÇA(ÈA\ÇAüÆA4ÇA|ÆAŒÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAŒÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°A˜ÆA ÇAÇAÇAœÆA ÆA8ÇA¬ÆAPÇA¬ÇAˆÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇA˜ÇAÇAÈÆA€ÆAœÇA”ÆA0ÇAhÆAHÇA´ÇAcolonna.ug
base_address: 0x0041b000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: ,ÒÜÐ ÔHÑXÔXјÔhÑàÔxÑÕ€Ñ8ՐѺÖðÑ*× Òp× Ò:ÒRÒjÒ‚ÒžÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtӊӜӮӼÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔŠÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕˆÕ˜Õ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~֌֚֮ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z׊×kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance
base_address: 0x0041d000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿|Ð%ì|Ð%ì|Ð%ìì}Ð%즻ìdÐ%즏ìùÐ%즎ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì|Ð$ìÐ%즊ìvÐ%즸ì}Ð%ìRich|Ð%ìPELŒÎ^à  0â‹z@@@D¨Pôhš@@.text“.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B
base_address: 0x00400000
process_identifier: 2404
process_handle: 0x00000228
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2404
process_handle: 0x00000228
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌXH\ˆ9&ˆ9&ˆ9&ÓQ%™9&ÓQ#49&ÓQ!‰9&ÚL"›9&ÚL%9&ÚL#Ç9&ÓQ"‘9&ÓQ ‰9&ÓQ'“9&ˆ9'|9&ÐL/‡9&ÐL$‰9&Richˆ9&PELÎöeaà ’B¾é°@ @ *°|RØÃ8Ä@°´.textߑ’ `.rdataŽ°’–@@.datah[PL(@À.reloc|R°Tt@B
base_address: 0x00400000
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜$„¦°@@Оà\CODE°–˜ `DATAl°œ@ÀBSSÅÀ¤À.idatažÐ¤@À.reloc\à¬@PÄ@P
base_address: 0x00400000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿|Ð%ì|Ð%ì|Ð%ìì}Ð%즻ìdÐ%즏ìùÐ%즎ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì|Ð$ìÐ%즊ìvÐ%즸ì}Ð%ìRich|Ð%ìPELŒÎ^à  0â‹z@@@D¨Pôhš@@.text“.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B
base_address: 0x00400000
process_identifier: 2404
process_handle: 0x00000228
1 1 0
process Uxqcrfgglyzuwogibeigruaconsoleapp12.exe useragent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process Dxndvkhrxwosconsoleapp14.exe useragent
Process injection Process 2348 called NtSetContextThread to modify thread in remote process 2556
Process injection Process 2680 called NtSetContextThread to modify thread in remote process 2932
Process injection Process 3064 called NtSetContextThread to modify thread in remote process 2404
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4450750
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003b4
process_identifier: 2556
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003b0
process_identifier: 2932
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4291211
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000234
process_identifier: 2404
1 0 0
parent_process wscript.exe martian_process "C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
parent_process wscript.exe martian_process C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
parent_process wscript.exe martian_process C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
parent_process wscript.exe martian_process "C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"
Process injection Process 2348 resumed a thread in remote process 2556
Process injection Process 2680 resumed a thread in remote process 2932
Process injection Process 3064 resumed a thread in remote process 2404
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000003b4
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 2932
1 0 0

NtResumeThread

 thread_handle: 0x00000234
suspend_count: 1
process_identifier: 2404
1 0 0
Elastic malicious (high confidence)
Cynet Malicious (score: 99)
McAfee Artemis!2DF827A178FC
Cylance Unsafe
Cybereason malicious.178fcf
ESET-NOD32 a variant of MSIL/Kryptik.ADIZ
APEX Malicious
ClamAV Win.Dropper.Generic-7113183-0
Kaspersky HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender Gen:Heur.MSIL.Androm.1
MicroWorld-eScan Gen:Heur.MSIL.Androm.1
Ad-Aware Gen:Heur.MSIL.Androm.1
Emsisoft Gen:Heur.MSIL.Androm.1 (B)
DrWeb Trojan.Inject4.18293
McAfee-GW-Edition Artemis!Trojan
FireEye Gen:Heur.MSIL.Androm.1
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Malicious PE
Avira TR/Dropper.Gen2
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Gen:Heur.MSIL.Androm.1
MAX malware (ai score=82)
Malwarebytes MachineLearning/Anomalous.97%
eGambit Trojan.Generic
BitDefenderTheta Gen:NN.ZemsilF.34236.hn0@aGbfyue
CrowdStrike win/malicious_confidence_90% (W)
MaxSecure Trojan.Malware.300983.susgen
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2348
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2348
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2348
1 0 0

CreateProcessInternalW

 thread_identifier: 2512
thread_handle: 0x000003b0
process_identifier: 2508
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Rmfigo.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003a4
1 1 0

NtResumeThread

 thread_handle: 0x00000244
suspend_count: 1
process_identifier: 2348
1 0 0

CreateProcessInternalW

 thread_identifier: 2560
thread_handle: 0x000003b4
process_identifier: 2556
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\asdfg.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000354
1 1 0

NtGetContextThread

 thread_handle: 0x000003b4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 593920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000354
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌXH\ˆ9&ˆ9&ˆ9&ÓQ%™9&ÓQ#49&ÓQ!‰9&ÚL"›9&ÚL%9&ÚL#Ç9&ÓQ"‘9&ÓQ ‰9&ÓQ'“9&ˆ9'|9&ÐL/‡9&ÐL$‰9&Richˆ9&PELÎöeaà ’B¾é°@ @ *°|RØÃ8Ä@°´.textߑ’ `.rdataŽ°’–@@.datah[PL(@À.reloc|R°Tt@B
base_address: 0x00400000
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0046b000
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00485000
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0048b000
process_identifier: 2556
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2556
process_handle: 0x00000354
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4450750
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003b4
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x000003b4
suspend_count: 1
process_identifier: 2556
1 0 0

CreateProcessInternalW

 thread_identifier: 2684
thread_handle: 0x00000320
process_identifier: 2680
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000328
1 1 0

NtResumeThread

 thread_handle: 0x00000144
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2680
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2680
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 2680
1 0 0

CreateProcessInternalW

 thread_identifier: 2816
thread_handle: 0x000003b0
process_identifier: 2812
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003a4
1 1 0

NtResumeThread

 thread_handle: 0x00000388
suspend_count: 1
process_identifier: 2680
1 0 0

CreateProcessInternalW

 thread_identifier: 2860
thread_handle: 0x000003b4
process_identifier: 2856
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000350
1 1 0

NtGetContextThread

 thread_handle: 0x000003b4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2856
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000350
3221225496 0

CreateProcessInternalW

 thread_identifier: 2900
thread_handle: 0x0000034c
process_identifier: 2896
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000340
1 1 0

NtGetContextThread

 thread_handle: 0x0000034c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2896
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000340
3221225496 0

CreateProcessInternalW

 thread_identifier: 2936
thread_handle: 0x000003b0
process_identifier: 2932
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000358
1 1 0

NtGetContextThread

 thread_handle: 0x000003b0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000358
1 0 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜$„¦°@@Оà\CODE°–˜ `DATAl°œ@ÀBSSÅÀ¤À.idatažÐ¤@À.reloc\à¬@PÄ@P
base_address: 0x00400000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: @2‹À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@Error‹ÀRuntime error at 00000000‹À0123456789ABCDEFÿÿÿÿàO@‹À‹À@@J7<äºÏ¿}ªiFîµä[Jú-EœÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖؖáveÛe3ôs>v÷†E±Yêá)­Vû˜Ar5d2Š'òÂØMY‰ pê5ù©ñÌ-þ+~•R¶Ö”æÐvMºoß3 v§·5v…ÅÞƒ¸`‡6©¤á þáx.¢WŽ‹ï)b!ò²jíïz´Ì·|X—¸q/Õæ?dEzãîs£‹3Ãhp>4Ǝ7èˆJ|—úðØèëá¾iAò¡úèÌ3áHþ‰‡ˆíG\†rgã@À Œ¥[\ë¸?áRÃénS ÑÒ-´¼;ÐÍñ[MQ¶SEvr]‚`„U¥’ÝêŽ(èú†mü'~àÖ.‘ÚÅÂÅÈ3Â%G°’j°Uî½S:Ì¦æä[½V€¿v™z½åÁL}¸<ÿ,9ŠÞýžV_‹ƒ:Â9 ‘牽˜W‡ù™ÙÔەoŸSûËۓ`Qé6ñ¡àw—Ëm¥Anm'o-”°aÃе1ä¨ 5[þ'Çè ©Ð¦¿q ¤ÞÆ +ºê$›gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ*<A…æ>5²+X2`*ÿ0e¢÷¼Aâ@ŽPD„%ÌÐÒ:¨»eŠfk®Z‹¨ÃÌPÒÕ*”cÕéN{» “¨¤…¦b«?O±óÝ0ZR‡ÔžèÌÚÃOË©¤×`TwR\ŽÀàÄËÃÐÃsS¦@O±j¹ ›}¢ì J˜g_ÍYljò‘ ˜@Ž'”¸…PÂZ°)zˆãp>cƒŒXgǼ|½\ÏODn…á)ü7Lôû8ažŒ³Ô´:3ªÆô딛¥ø‘GgPnº1½·Õ“Ô^)õ/2{ۘ¸<T¾i#©È7ný_Fû^îˆnB!ôëäRÛc-dèmàÇ«>WÆÄN䨂«$há:_p”$Öd^}QÏ ˜kï8áeÏÌË%VŒ¿âFNØ\ðø•G;æ1Èy¤SÇ,•„°!#fñŽ‰Äþ j®Þ Ø|íälçÇ+Æڏ E—Å Å$ŒÜ›¶Dë Í!kù,ú"dlQ(° ÇMIÎ,p#°)]”ÕÙ9i-0‚àl&‘®ª!YіoPÝ+¾‡9•}\±¡©Ù.¿4#D.•§×è¼R I±£ç— 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ*_h:÷Ù ‡æÄ £ 8 c+-’û2_öš0ýcQò¸ dt‰µ+ûÞ™¸¦åð‰#t êqêR(PY» ïÀ(¢#ÓϘÆ”ÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆA„ÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°A”ÇAÇAˆÇA(ÈA\ÇAüÆA4ÇA|ÆAŒÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAŒÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°A˜ÆA ÇAÇAÇAœÆA ÆA8ÇA¬ÆAPÇA¬ÇAˆÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇA˜ÇAÇAÈÆA€ÆAœÇA”ÆA0ÇAhÆAHÇA´ÇAcolonna.ug
base_address: 0x0041b000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: ,ÒÜÐ ÔHÑXÔXјÔhÑàÔxÑÕ€Ñ8ՐѺÖðÑ*× Òp× Ò:ÒRÒjÒ‚ÒžÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtӊӜӮӼÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔŠÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕˆÕ˜Õ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~֌֚֮ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z׊×kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance
base_address: 0x0041d000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041e000
process_identifier: 2932
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2932
process_handle: 0x00000358
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003b0
process_identifier: 2932
1 0 0

NtResumeThread

 thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 2932
1 0 0

CreateProcessInternalW

 thread_identifier: 3068
thread_handle: 0x00000320
process_identifier: 3064
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000328
1 1 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2932
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 3064
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 3064
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 3064
1 0 0

CreateProcessInternalW

 thread_identifier: 2324
thread_handle: 0x0000022c
process_identifier: 2336
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000230
1 1 0

NtGetContextThread

 thread_handle: 0x0000022c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2336
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
3221225496 0

CreateProcessInternalW

 thread_identifier: 2408
thread_handle: 0x00000234
process_identifier: 2404
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000228
1 1 0

NtGetContextThread

 thread_handle: 0x00000234
1 0 0
file C:\Windows\SysWOW64\wscript.exe
file C:\Users\test22\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
file C:\Users\test22\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe