Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 12, 2021, 10:23 a.m.	Nov. 12, 2021, 10:27 a.m.

Size	3.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a35732db1ce01e708084598f4dcdc1e4`
SHA256	`0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679`
CRC32	`8B6039CC`
ssdeep	`98304:SZvetj5CqOCBAybLPJh+bItPN3EhWIws2:SgKqOCB5HRhFuhU`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

basque.exe "C:\Users\test22\AppData\Local\Temp\basque.exe"
2800
- clayer.exe "C:\Users\test22\AppData\Local\Temp\hempen\clayer.exe"
  2916
- forbarvp.exe "C:\Users\test22\AppData\Local\Temp\hempen\forbarvp.exe"
  2952

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 12, 2021, 10:23 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (50 out of 115 events)

Time & API	Arguments	Status
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x13b2e @ 0x413b2e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x13b46 @ 0x413b46 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xbbd2 @ 0x40bbd2 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xbbea @ 0x40bbea RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xf984 @ 0x40f984 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x358c @ 0x40358c RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x3a9a @ 0x403a9a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x129ac @ 0x4129ac RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1a976 @ 0x41a976 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x16843 @ 0x416843 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1685b @ 0x41685b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x16873 @ 0x416873 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1688b @ 0x41688b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x19240 @ 0x419240 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x19258 @ 0x419258 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x127a6 @ 0x4127a6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1cba6 @ 0x41cba6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1cbbe @ 0x41cbbe RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1cbd6 @ 0x41cbd6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1cbee @ 0x41cbee RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x5648 @ 0x405648 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x5660 @ 0x405660 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x11322 @ 0x411322 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x1133a @ 0x41133a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xf859 @ 0x40f859 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x9342 @ 0x409342 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x935a @ 0x40935a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x9372 @ 0x409372 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x938a @ 0x40938a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x93a2 @ 0x4093a2 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x363b @ 0x40363b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x3653 @ 0x403653 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x366b @ 0x40366b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x793a @ 0x40793a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x7952 @ 0x407952 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xe26c @ 0x40e26c RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xe284 @ 0x40e284 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xe29c @ 0x40e29c RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xb50f @ 0x40b50f RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x153bf @ 0x4153bf RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x153d7 @ 0x4153d7 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x153ef @ 0x4153ef RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x4277 @ 0x404277 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x428f @ 0x40428f RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x42a7 @ 0x4042a7 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x42bf @ 0x4042bf RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x42d7 @ 0x4042d7 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x61cf @ 0x4061cf RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0x45e3 @ 0x4045e3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: RegOpenKeyExA+0x116 DisableThreadLibraryCalls-0xa0 kernel32+0x14845 @ 0x766e4845 RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x766e4750 RegOpenKeyA+0x2e MakeSelfRelativeSD-0x16 advapi32+0xcc43 @ 0x7627cc43 clayer+0xa260 @ 0x40a260 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 21 3b c7 45 fc fe ff ff ff 85 ff 0f 85 e8 e3 03 exception.symbol: RegCloseKey+0x18d RegOpenKeyExW-0xe5 kernel32+0x1222c exception.instruction: and dword ptr [ebx], edi exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 74284 exception.address: 0x766e222c registers.esp: 1637980 registers.edi: 0 registers.eax: 8 registers.ebp: 1638100 registers.edx: 0 registers.ebx: 1986854912 registers.esi: 1638148 registers.ecx: 1638148	1

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 region_size: 331776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03402000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01070000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0106a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0106a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0106a000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Users\test22\AppData\Local\Temp\hempen\forbarvp.exe
file	C:\Users\test22\AppData\Local\Temp\nsgE3C9.tmp\UAC.dll
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Local\Temp\hempen\clayer.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsgE3C9.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\hempen\forbarvp.exe

Expresses interest in specific running processes (1 event)

process

system

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 12, 2021, 10:23 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\hempen\clayer.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2916 manipulating memory of non-child process 0
NtProtectVirtualMemory Nov. 12, 2021, 10:23 a.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 52 (PAGE_EXECUTE\|PAGE_EXECUTE_READ\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001		3221225541	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 12, 2021, 10:23 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 12, 2021, 10:23 a.m.	stacktrace: exception.instruction_r: ed e9 5f 0b fd ff e3 d9 1f 00 11 31 70 00 f8 3a exception.symbol: forbarvp+0x3dea19 exception.instruction: in eax, dx exception.module: forbarvp.exe exception.exception_code: 0xc0000096 exception.offset: 4057625 exception.address: 0x142ea19 registers.esp: 1833592 registers.edi: 2633144 registers.eax: 1447909480 registers.ebp: 17272832 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 17692988 registers.ecx: 10	1	0	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Heur.D.QMW@dyRhWtpi
FireEye	Gen:Trojan.Heur.D.QMW@dyRhWtpi
ALYac	Gen:Trojan.Heur.D.QMW@dyRhWtpi
Zillya	Backdoor.DarkKomet.Win32.48384
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (W)
Arcabit	Trojan.Heur.D.EA0D6C
Cyren	W32/Kryptik.FHH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	HEUR:Trojan.Win32.SelfDel.pef
BitDefender	Gen:Trojan.Heur.D.QMW@dyRhWtpi
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	NSIS:PWSX-gen [Trj]
Emsisoft	Gen:Trojan.Heur.D.QMW@dyRhWtpi (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
SentinelOne	Static AI - Suspicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan.BSE.HLJWVB
Cynet	Malicious (score: 100)
MAX	malware (ai score=82)
VBA32	BScope.Trojan.Chapak
Malwarebytes	Malware.AI.2672519033
Rising	Trojan.Generic@ML.100 (RDML:BOvCLDF8TDjIGOADiN091g)
eGambit	Unsafe.AI_Score_51%
BitDefenderTheta	AI:Packer.C79F96121E
AVG	NSIS:PWSX-gen [Trj]
Cybereason	malicious.b1ce01

basque.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All