Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 14, 2021, 6:15 p.m.	Nov. 14, 2021, 6:46 p.m.

Size	2.5MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`8b9bce00bcd650b996c0d67d57675de7`
SHA256	`bf45b415add34c4a9cfd28e2f0060a5771b452a290d4807cc66e5e0355b014c0`
CRC32	`1B892759`
ssdeep	`12288:KX35aOpOy0Pby7F5gjpsIpfWFsiWtYR03l/3pD2Q3RN9CjWglBe4dUKELgmLF:KhIDpWKtYSP5r9CqglBeYK`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
2396
- cmd.exe "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\test22\AppData\Local\Temp\fUdRprpX & timeout 4 & del /f /q ""
  2532
  - timeout.exe timeout 4
    2596

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 14, 2021, 6:15 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 14, 2021, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt console_handle: 0x00000007	1	1
WriteConsoleW Nov. 14, 2021, 6:15 p.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 14, 2021, 6:15 p.m.	buffer: Waiting for 4 console_handle: 0x00000007	1	1
WriteConsoleW Nov. 14, 2021, 6:15 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.unascen

One or more processes crashed (50 out of 208 events)

Time & API	Arguments	Status
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x71d68 @ 0x471d68 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x71d71 @ 0x471d71 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x71d88 @ 0x471d88 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x71d91 @ 0x471d91 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x71da8 @ 0x471da8 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x71db1 @ 0x471db1 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x71dc8 @ 0x471dc8 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x71dd1 @ 0x471dd1 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x746c1 @ 0x4746c1 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x746ca @ 0x4746ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x746e1 @ 0x4746e1 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x746ea @ 0x4746ea RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x74701 @ 0x474701 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7470a @ 0x47470a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x74721 @ 0x474721 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7472a @ 0x47472a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x74741 @ 0x474741 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x769ab @ 0x4769ab RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x747f6 @ 0x4747f6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x747ff @ 0x4747ff RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x7ca11 @ 0x47ca11 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7164d @ 0x47164d RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x71664 @ 0x471664 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7166d @ 0x47166d RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x72222 @ 0x472222 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7222b @ 0x47222b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x72242 @ 0x472242 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7224b @ 0x47224b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x72262 @ 0x472262 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7226b @ 0x47226b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x72282 @ 0x472282 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7228b @ 0x47228b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x722a2 @ 0x4722a2 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x722ab @ 0x4722ab RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x722c2 @ 0x4722c2 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x722cb @ 0x4722cb RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x73ea8 @ 0x473ea8 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7018d @ 0x47018d RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x701a4 @ 0x4701a4 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x701ad @ 0x4701ad RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x701c4 @ 0x4701c4 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x701cd @ 0x4701cd RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x701e4 @ 0x4701e4 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x701ed @ 0x4701ed RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x70204 @ 0x470204 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7020d @ 0x47020d RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x70224 @ 0x470224 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x7022d @ 0x47022d RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: GetThreadWaitChain+0x731a advapi32+0x6e4e1 @ 0x74aee4e1 GetThreadWaitChain+0x73a5 advapi32+0x6e56c @ 0x74aee56c RegSaveKeyA+0xab RegSetValueA-0xcd advapi32+0x60d74 @ 0x74ae0d74 file+0x6d133 @ 0x46d133 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 80 3e 01 0f 85 f6 21 01 00 bf 00 80 00 00 8b c7 exception.symbol: RtlValidSecurityDescriptor+0x13 RtlTestBit-0x3a2 ntdll+0x65e29 exception.instruction: cmp byte ptr [esi], 1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 417321 exception.address: 0x77315e29 registers.esp: 1638072 registers.edi: 6711689 registers.eax: 1638096 registers.ebp: 1638112 registers.edx: 0 registers.ebx: 0 registers.esi: 1680749107 registers.ecx: 1680749107	1
__exception__ Nov. 14, 2021, 6:15 p.m.	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74dd83ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74e701fe RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x74ae100f GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x768ac8e3 New_advapi32_RegCloseKey@4+0x67 New_advapi32_RegCreateKeyExA@36-0x63 @ 0x740c2770 file+0x6d13c @ 0x46d13c RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x74dd83d2 registers.esp: 1637000 registers.edi: 1957427834 registers.eax: 86 registers.ebp: 1637040 registers.edx: 0 registers.ebx: 1638140 registers.esi: 1 registers.ecx: 86	1

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 14, 2021, 6:15 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00418000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2021, 6:15 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2021, 6:15 p.m.	process_identifier: 2396 region_size: 315392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2021, 6:15 p.m.	process_identifier: 2396 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2021, 6:15 p.m.	process_identifier: 2396 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\test22\AppData\Local\Temp\fUdRprpX & timeout 4 & del /f /q ""
cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\Users\test22\AppData\Local\Temp\fUdRprpX & timeout 4 & del /f /q ""

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 14, 2021, 6:15 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c rd /s /q C:\Users\test22\AppData\Local\Temp\fUdRprpX & timeout 4 & del /f /q "" filepath: C:\Windows\System32\cmd.exe	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\test22\AppData\Local\Temp\fUdRprpX & timeout 4 & del /f /q ""
cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\Users\test22\AppData\Local\Temp\fUdRprpX & timeout 4 & del /f /q ""

Attempts to identify installed AV products by installation directory (3 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\file.exe

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.8b9bce00bcd650b9
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
ESET-NOD32	a variant of Win32/GenKryptik.FNKE
APEX	Malicious
Kaspersky	VHO:Trojan.Win32.SelfDel.gen
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
Gridinsoft	Trojan.Heur!.00002031
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
Malwarebytes	MachineLearning/Anomalous.95%
MaxSecure	Trojan.Malware.300983.susgen

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 103 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\ArmUI.ini
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20210707200853994).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\AdobeARM.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000028.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Temp\jawshtml.html
file	C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000025.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file	C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log
file	C:\Users\test22\AppData\Local\Temp\chrome_installer.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log
file	C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\java_install.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\bchC68D.tmp
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html
file	C:\Users\test22\AppData\Local\Temp\PrinterSetup.log
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log
file	C:\Users\test22\AppData\Local\Temp\dd_TMPA86C.tmp_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\CVR8B49.tmp.cvr
file	C:\Users\test22\AppData\Local\Temp\file.exe
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Users\test22\AppData\Local\Temp\SetupExe(202107071812439D0).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844-MSI_netfx_Full_x64.msi.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000014.log
file	C:\Users\test22\AppData\Local\Temp\CVRE545.tmp.cvr
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000005.log
file	C:\Users\test22\AppData\Local\Temp\dd_wcf_CA_smci_20200715_051341_086.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000010.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(2018040515215734C).log

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All