Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 15, 2021, 5:12 p.m.	Nov. 15, 2021, 5:15 p.m.

Size	1.1MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6966182dd20351152ea815d31e735067`
SHA256	`9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6`
CRC32	`C32D2E62`
ssdeep	`24576:JAonVXGyMHv70mq0PgSErFqQSWjVtVYZ:SonVp7OgSErFqQtC`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

asdfg.exe "C:\Users\test22\AppData\Local\Temp\asdfg.exe"
2772
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Ilzzmljftcwfeldyujdcyqy.vbs"
  3000
  - Tyjigybwjylnokucizpstzjwazconsoleapp18.exe "C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe"
    2148
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Ksyuxjtrazuidxiqmg.vbs"
      2288
      - Vcinpeamqerjfxlsvutgosconsoleapp11.exe "C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe"
        2732
        
        Vcinpeamqerjfxlsvutgosconsoleapp11.exe C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
        1768
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1768 & erase C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe & RD /S /Q C:\\ProgramData\\225545026071858\\* & exit
        2852
        
        taskkill.exe taskkill /pid 1768
        1664
    - Tyjigybwjylnokucizpstzjwazconsoleapp18.exe C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
      2444
- asdfg.exe C:\Users\test22\AppData\Local\Temp\asdfg.exe
  3044
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
colonna.ug	A 185.215.113.77	185.215.113.77
colonna.ac.ug	A 185.215.113.77	185.215.113.77
t.me	A 149.154.167.99	149.154.167.99

IP Address	Status	Action
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
185.163.47.176	Active	Moloch
185.215.113.77	Active	Moloch
193.38.54.238	Active	Moloch
74.119.192.122	Active	Moloch
91.219.236.162	Active	Moloch
91.219.236.240	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.77:80 -> 192.168.56.101:49179	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 185.215.113.77:80 -> 192.168.56.101:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 149.154.167.99:443 -> 192.168.56.101:49211	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.101:49221	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49213	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49219	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 185.215.113.77:80	2027108	ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 185.215.113.77:80	2029236	ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 185.215.113.77:80	2029846	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 185.215.113.77:80	2033886	ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)	Potentially Bad Traffic
TCP 192.168.56.101:49220 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 15, 2021, 5:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 15, 2021, 5:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 15, 2021, 5:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 15, 2021, 5:13 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 15, 2021, 5:12 p.m.			0	0
IsDebuggerPresent Nov. 15, 2021, 5:12 p.m.			0	0
IsDebuggerPresent Nov. 15, 2021, 5:13 p.m.			0	0
IsDebuggerPresent Nov. 15, 2021, 5:13 p.m.			0	0
IsDebuggerPresent Nov. 15, 2021, 5:13 p.m.			0	0
IsDebuggerPresent Nov. 15, 2021, 5:13 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 15, 2021, 5:13 p.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1	0
WriteConsoleW Nov. 15, 2021, 5:13 p.m.	buffer: ERROR: The process "1768" not found. console_handle: 0x0000000b	1	1	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00412bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00777dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00777dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2021, 5:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00777cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 15, 2021, 5:12 p.m.		1	1	0

One or more processes crashed (18 events)

Time & API	Arguments	Status
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x103e64d 0x103e5c2 0x103c19f 0x103608b 0x1038ad7 0x63d86b 0x63ecae DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x3133fd @ 0x721833fd 0x6307e0 0x6302b5 mscorlib+0x30c9ff @ 0x7217c9ff mscorlib+0x302367 @ 0x72172367 mscorlib+0x3022a6 @ 0x721722a6 mscorlib+0x302261 @ 0x72172261 mscorlib+0x30ca7c @ 0x7217ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ed07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72ea7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72ea7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72ea7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72e3c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ed0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72f4a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 82112608 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 82112812 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x103e64d 0x103e5c2 0x103c19f 0x103608b 0x1038ad7 0x63d86b 0x63ecae DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x3133fd @ 0x721833fd 0x6307e0 0x6302b5 mscorlib+0x30c9ff @ 0x7217c9ff mscorlib+0x302367 @ 0x72172367 mscorlib+0x3022a6 @ 0x721722a6 mscorlib+0x302261 @ 0x72172261 mscorlib+0x30ca7c @ 0x7217ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ed07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72ea7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72ea7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72ea7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72e3c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ed0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72f4a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 82112608 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 82112812 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x103e64d 0x103e5c2 0x103c19f 0x103608b 0x1038ad7 0x63d86b 0x63ecae DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x3133fd @ 0x721833fd 0x6307e0 0x6302b5 mscorlib+0x30c9ff @ 0x7217c9ff mscorlib+0x302367 @ 0x72172367 mscorlib+0x3022a6 @ 0x721722a6 mscorlib+0x302261 @ 0x72172261 mscorlib+0x30ca7c @ 0x7217ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ed07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72ea7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72ea7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72ea7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72e3c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ed0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72f4a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 82112608 registers.edi: 1980555208 registers.eax: 19726336 registers.ebp: 82112812 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x103e64d 0x103e5c2 0x103c19f 0x103608b 0x1038ad7 0x63d86b 0x63ecae DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x3133fd @ 0x721833fd 0x6307e0 0x6302b5 mscorlib+0x30c9ff @ 0x7217c9ff mscorlib+0x302367 @ 0x72172367 mscorlib+0x3022a6 @ 0x721722a6 mscorlib+0x302261 @ 0x72172261 mscorlib+0x30ca7c @ 0x7217ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ed07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72ea7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72ea7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72ea7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72e3c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ed0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72f4a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 82112608 registers.edi: 1980555208 registers.eax: 9699328 registers.ebp: 82112812 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 1441792 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 1245184 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 1441792 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x438ca3d 0x438c9b2 0x438ab31 0x4385be3 0x4387c57 0x1e8d72b 0x1e8e467 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72811838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72811737 mscorlib+0x2d3711 @ 0x71aa3711 mscorlib+0x308f2d @ 0x71ad8f2d mscorlib+0x3133fd @ 0x71ae33fd 0x1e807e0 0x1e802b5 mscorlib+0x30c9ff @ 0x71adc9ff mscorlib+0x302367 @ 0x71ad2367 mscorlib+0x3022a6 @ 0x71ad22a6 mscorlib+0x302261 @ 0x71ad2261 mscorlib+0x30ca7c @ 0x71adca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728307d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72807d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72807dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72807e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7279c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72830694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728aa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 79293792 registers.edi: 1980555208 registers.eax: 1245184 registers.ebp: 79293996 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4a1e24d 0x4a1e1c2 0x4a1bad4 0x4a1640b 0x4a18437 0x69d34b 0x69e7ea DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72aa1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72aa1737 mscorlib+0x2d3711 @ 0x71d33711 mscorlib+0x308f2d @ 0x71d68f2d mscorlib+0x3133fd @ 0x71d733fd 0x6907e0 0x6902b5 mscorlib+0x30c9ff @ 0x71d6c9ff mscorlib+0x302367 @ 0x71d62367 mscorlib+0x3022a6 @ 0x71d622a6 mscorlib+0x302261 @ 0x71d62261 mscorlib+0x30ca7c @ 0x71d6ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 83159812 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 83160016 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4a1e24d 0x4a1e1c2 0x4a1bad4 0x4a1640b 0x4a18437 0x69d34b 0x69e7ea DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72aa1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72aa1737 mscorlib+0x2d3711 @ 0x71d33711 mscorlib+0x308f2d @ 0x71d68f2d mscorlib+0x3133fd @ 0x71d733fd 0x6907e0 0x6902b5 mscorlib+0x30c9ff @ 0x71d6c9ff mscorlib+0x302367 @ 0x71d62367 mscorlib+0x3022a6 @ 0x71d622a6 mscorlib+0x302261 @ 0x71d62261 mscorlib+0x30ca7c @ 0x71d6ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 83159812 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 83160016 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4a1e24d 0x4a1e1c2 0x4a1bad4 0x4a1640b 0x4a18437 0x69d34b 0x69e7ea DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72aa1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72aa1737 mscorlib+0x2d3711 @ 0x71d33711 mscorlib+0x308f2d @ 0x71d68f2d mscorlib+0x3133fd @ 0x71d733fd 0x6907e0 0x6902b5 mscorlib+0x30c9ff @ 0x71d6c9ff mscorlib+0x302367 @ 0x71d62367 mscorlib+0x3022a6 @ 0x71d622a6 mscorlib+0x302261 @ 0x71d62261 mscorlib+0x30ca7c @ 0x71d6ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 83159812 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 83160016 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 15, 2021, 5:13 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4a1e24d 0x4a1e1c2 0x4a1bad4 0x4a1640b 0x4a18437 0x69d34b 0x69e7ea DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72aa1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72aa1737 mscorlib+0x2d3711 @ 0x71d33711 mscorlib+0x308f2d @ 0x71d68f2d mscorlib+0x3133fd @ 0x71d733fd 0x6907e0 0x6902b5 mscorlib+0x30c9ff @ 0x71d6c9ff mscorlib+0x302367 @ 0x71d62367 mscorlib+0x3022a6 @ 0x71d622a6 mscorlib+0x302261 @ 0x71d62261 mscorlib+0x30ca7c @ 0x71d6ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 83159812 registers.edi: 1980555208 registers.eax: 20709376 registers.ebp: 83160016 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://colonna.ug/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/softokn3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/sqlite3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/freebl3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/mozglue.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/msvcp140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/nss3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/vcruntime140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/main.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://colonna.ac.ug/

Performs some HTTP requests (10 events)

request	POST http://colonna.ug/index.php
request	POST http://colonna.ac.ug/softokn3.dll
request	POST http://colonna.ac.ug/sqlite3.dll
request	POST http://colonna.ac.ug/freebl3.dll
request	POST http://colonna.ac.ug/mozglue.dll
request	POST http://colonna.ac.ug/msvcp140.dll
request	POST http://colonna.ac.ug/nss3.dll
request	POST http://colonna.ac.ug/vcruntime140.dll
request	POST http://colonna.ac.ug/main.php
request	POST http://colonna.ac.ug/

Sends data using the HTTP POST Method (10 events)

request	POST http://colonna.ug/index.php
request	POST http://colonna.ac.ug/softokn3.dll
request	POST http://colonna.ac.ug/sqlite3.dll
request	POST http://colonna.ac.ug/freebl3.dll
request	POST http://colonna.ac.ug/mozglue.dll
request	POST http://colonna.ac.ug/msvcp140.dll
request	POST http://colonna.ac.ug/nss3.dll
request	POST http://colonna.ac.ug/vcruntime140.dll
request	POST http://colonna.ac.ug/main.php
request	POST http://colonna.ac.ug/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 128 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:12 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00631000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00638000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00639000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fea2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2148 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72791000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72792000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2148 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Chromium\User Data\Local State
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Local State

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Local\Temp\Ilzzmljftcwfeldyujdcyqy.vbs
file	C:\ProgramData\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\Ksyuxjtrazuidxiqmg.vbs
file	C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	cmd.exe /c taskkill /pid 1768 & erase C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe & RD /S /Q C:\\ProgramData\\225545026071858\\* & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 1768 & erase C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe & RD /S /Q C:\\ProgramData\\225545026071858\\* & exit

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\Ilzzmljftcwfeldyujdcyqy.vbs
file	C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
file	C:\Users\test22\AppData\Local\Temp\Ksyuxjtrazuidxiqmg.vbs
file	C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
file	C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1768)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 15, 2021, 5:13 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c taskkill /pid 1768 & erase C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe & RD /S /Q C:\\ProgramData\\225545026071858\\* & exit filepath: cmd.exe	1	1	0

An executable file was downloaded by the process vcinpeamqerjfxlsvutgosconsoleapp11.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0010ee00', u'virtual_address': u'0x00002000', u'entropy': 7.785666306009907, u'name': u'.text', u'virtual_size': u'0x0010edf0'}

entropy

7.78566630601

description

A section with a high entropy has been found

entropy

0.988144094847

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 15, 2021, 5:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 15, 2021, 5:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 15, 2021, 5:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 15, 2021, 5:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (35 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall base_handle: 0x80000002 key_handle: 0x00000330 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Nov. 15, 2021, 5:13 p.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 15, 2021, 5:13 p.m.	status_code: 0xffffffff process_identifier: 2416 process_handle: 0x00000248		0	0
NtTerminateProcess Nov. 15, 2021, 5:13 p.m.	status_code: 0xffffffff process_identifier: 2416 process_handle: 0x00000248	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c taskkill /pid 1768 & erase C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe & RD /S /Q C:\\ProgramData\\225545026071858\\* & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 1768 & erase C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe & RD /S /Q C:\\ProgramData\\225545026071858\\* & exit
cmdline	taskkill /pid 1768

Communicates with host for which no DNS query was performed (5 events)

host	185.163.47.176
host	193.38.54.238
host	74.119.192.122
host	91.219.236.162
host	91.219.236.240

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 3044 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2416 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c		3221225496
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2444 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 1768 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (19 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\
file	C:\Users\test22\AppData\Roaming\Electrum\wallets\
file	C:\Users\test22\AppData\Roaming\Litecoin\
file	C:\Users\test22\AppData\Roaming\Namecoin\
file	C:\Users\test22\AppData\Roaming\Terracoin\
file	C:\Users\test22\AppData\Roaming\Primecoin\
file	C:\Users\test22\AppData\Roaming\Freicoin\
file	C:\Users\test22\AppData\Roaming\devcoin\
file	C:\Users\test22\AppData\Roaming\Franko\
file	C:\Users\test22\AppData\Roaming\Megacoin\
file	C:\Users\test22\AppData\Roaming\Infinitecoin\
file	C:\Users\test22\AppData\Roaming\Ixcoin\
file	C:\Users\test22\AppData\Roaming\Anoncoin\
file	C:\Users\test22\AppData\Roaming\BBQCoin\
file	C:\Users\test22\AppData\Roaming\digitalcoin\
file	C:\Users\test22\AppData\Roaming\Mincoin\
file	C:\Users\test22\AppData\Roaming\GoldCoin (GLD)\
file	C:\Users\test22\AppData\Roaming\YACoin\
file	C:\Users\test22\AppData\Roaming\Florincoin\

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2148 manipulating memory of non-child process 2416
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2416 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c		3221225496	0

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $qý¶M5Ø5Ø5Ø!÷Û$Ø!÷ÝØ!÷ß4ØgéÜ&ØgéÛ-ØgéÝzØ!÷Ü,Ø!÷Þ4Ø!÷Ù.Ø5ÙÀØéÑ:ØéÚ4ØRich5ØPELÆaà Lvñ°@ @H2°RË8ÀË@°¸.textÈ `.rdataV°¤@@.datap\PN>@À.relocR°T@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAcolonna.ug base_address: 0x0041b000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 1768 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1768 process_handle: 0x0000024c	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $qý¶M5Ø5Ø5Ø!÷Û$Ø!÷ÝØ!÷ß4ØgéÜ&ØgéÛ-ØgéÝzØ!÷Ü,Ø!÷Þ4Ø!÷Ù.Ø5ÙÀØéÑ:ØéÚ4ØRich5ØPELÆaà Lvñ°@ @H2°RË8ÀË@°¸.textÈ `.rdataV°¤@@.datap\PN>@À.relocR°T@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 1768 process_handle: 0x0000024c	1	1

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Nov. 15, 2021, 5:13 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Network activity contains more than one unique useragent (2 events)

process	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process	Vcinpeamqerjfxlsvutgosconsoleapp11.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 called NtSetContextThread to modify thread in remote process 3044
Process injection	Process 2148 called NtSetContextThread to modify thread in remote process 2444
Process injection	Process 2732 called NtSetContextThread to modify thread in remote process 1768
NtSetContextThread Nov. 15, 2021, 5:13 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4452726 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e0 process_identifier: 3044	1	0	0
NtSetContextThread Nov. 15, 2021, 5:13 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2444	1	0	0
NtSetContextThread Nov. 15, 2021, 5:13 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 1768	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe"
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 resumed a thread in remote process 3044
Process injection	Process 2148 resumed a thread in remote process 2444
Process injection	Process 2732 resumed a thread in remote process 1768
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 3044	1	0	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2444	1	0	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 1768	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 out of 59 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 15, 2021, 5:12 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Nov. 15, 2021, 5:12 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Nov. 15, 2021, 5:12 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2772	1	0
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 3004 thread_handle: 0x000003dc process_identifier: 3000 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Ilzzmljftcwfeldyujdcyqy.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 3048 thread_handle: 0x000003e0 process_identifier: 3044 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\asdfg.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000274	1	1
NtGetContextThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x000003e0	1	0
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 3044 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $qý¶M5Ø5Ø5Ø!÷Û$Ø!÷ÝØ!÷ß4ØgéÜ&ØgéÛ-ØgéÝzØ!÷Ü,Ø!÷Þ4Ø!÷Ù.Ø5ÙÀØéÑ:ØéÚ4ØRich5ØPELÆaà Lvñ°@ @H2°RË8ÀË@°¸.textÈ `.rdataV°¤@@.datap\PN>@À.relocR°T@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: base_address: 0x00401000 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: base_address: 0x0046b000 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: base_address: 0x00485000 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: base_address: 0x0048b000 process_identifier: 3044 process_handle: 0x00000274	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x00000274	1	1
NtSetContextThread Nov. 15, 2021, 5:13 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4452726 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e0 process_identifier: 3044	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 3044	1	0
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 2144 thread_handle: 0x0000031c process_identifier: 2148 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2148	1	0
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 2256 thread_handle: 0x000003dc process_identifier: 2288 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Ksyuxjtrazuidxiqmg.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2148	1	0
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 2420 thread_handle: 0x00000250 process_identifier: 2416 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000250	1	0
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2416 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c		3221225496
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 2448 thread_handle: 0x00000248 process_identifier: 2444 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 2444 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: base_address: 0x00401000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAcolonna.ug base_address: 0x0041b000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: base_address: 0x0041e000 process_identifier: 2444 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2444 process_handle: 0x00000244	1	1
NtSetContextThread Nov. 15, 2021, 5:13 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2444	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2444	1	0
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 2728 thread_handle: 0x0000031c process_identifier: 2732 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2732	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2732	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2732	1	0
NtResumeThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2732	1	0
CreateProcessInternalW Nov. 15, 2021, 5:13 p.m.	thread_identifier: 1560 thread_handle: 0x00000248 process_identifier: 1768 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread Nov. 15, 2021, 5:13 p.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory Nov. 15, 2021, 5:13 p.m.	process_identifier: 1768 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0
WriteProcessMemory Nov. 15, 2021, 5:13 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 1768 process_handle: 0x0000024c	1	1

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.38017298
FireEye	Trojan.GenericKD.38017298
Cylance	Unsafe
Alibaba	Trojan:Win32/Kryptik.ali2000016
Arcabit	Trojan.Generic.D2441912
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.BAKQVYL
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Generic-7113183-0
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Trojan.GenericKD.38017298
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Trojan.GenericKD.38017298
Sophos	Mal/Generic-S
Comodo	.UnclassifiedMalware@0
DrWeb	Trojan.Siggen15.40993
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.38017298 (B)
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1142543
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Ransom.Win32.AzorUlt.sa
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Trojan.GenericKD.38017298
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalwareX-gen.C4770399
McAfee	Artemis!6966182DD203
MAX	malware (ai score=87)
Malwarebytes	Malware.AI.3161454349
Ikarus	Trojan.MSIL.Agent
eGambit	Trojan.Generic
Fortinet	Malicious_Behavior.SB
BitDefenderTheta	Gen:NN.ZemsilF.34266.en0@aCfkvpf
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_80% (W)
MaxSecure	Trojan.Malware.300983.susgen

The process wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Users\test22\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
file	C:\Users\test22\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 events)

dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49188
dead_host	74.119.192.122:80
dead_host	192.168.56.101:49183
dead_host	91.219.236.240:80
dead_host	193.38.54.238:80
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49184

asdfg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All