Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 26, 2022, 8:54 a.m.	March 26, 2022, 9:10 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1098eea1ee550a0b6100a11be53d27d8`
SHA256	`8dfee94c273148e304ce65b2174c1bcf211e31b9fb7074bb03069c831a4b119a`
CRC32	`AD9C30B7`
ssdeep	`24576:+TLmKxzGyM4qG2AakO6fjPViDl16PdCLHbW:kl4JbsjIYPdCLb`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

rc.exe "C:\Users\test22\AppData\Local\Temp\rc.exe"
2344
- cmd.exe cmd /c ""C:\Users\Public\Wxmxcswt.bat" "
  2568
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\WxmxcswO.bat
    2648
    - net.exe net session
      2732
      - net1.exe C:\Windows\system32\net1 session
        2776
    - powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      2832

Name	Response	Post-Analysis Lookup
parthaha.ac.ug
nikahuve.ac.ug	A 194.5.98.107	194.5.98.107
kalskala.ac.ug
tuekisaa.ac.ug
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch
194.5.98.107	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 26, 2022, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2022, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2022, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2022, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 26, 2022, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2022, 8:55 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 26, 2022, 8:55 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 26, 2022, 8:55 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW March 26, 2022, 8:55 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW March 26, 2022, 8:55 a.m.	buffer: /min C:\Users\Public\WxmxcswO.bat console_handle: 0x00000007	1	1
WriteConsoleW March 26, 2022, 8:55 a.m.	buffer: exit console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c27e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c21a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2022, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 26, 2022, 8:55 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WX_BWB

One or more processes crashed (50 out of 124 events)

Time & API	Arguments	Status
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632932 registers.edi: 1633020 registers.eax: 23117 registers.ebp: 1632992 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1632768	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1633056 registers.edi: 1633152 registers.eax: 23117 registers.ebp: 1633116 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999678976	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632948 registers.edi: 1633036 registers.eax: 23117 registers.ebp: 1633008 registers.edx: 0 registers.ebx: 0 registers.esi: 34209792 registers.ecx: 1633024	1
__exception__ March 26, 2022, 8:54 a.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x73fc7322 0x20a60ff 0x20a4133 0x20a4220 rc+0x97b45 @ 0x497b45 rc+0x9e32b @ 0x49e32b rc+0x45cf @ 0x4045cf rc+0x4637 @ 0x404637 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632800 registers.edi: 1632896 registers.eax: 23117 registers.ebp: 1632860 registers.edx: 0 registers.ebx: 34209792 registers.esi: 34209792 registers.ecx: 1999575552	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://cdn.discordapp.com/attachments/873891971998036042/956866669567942676/Wxmxcswfuohcghxfhknlcpdvxxwxrap

Allocates read-write-execute memory (usually to unpack itself) (50 out of 190 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 region_size: 512000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 499712 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10591000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04279000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\Public\WxmxcswO.bat
file	C:\Users\Public\Cdex.bat
file	C:\Users\Public\Wxmxcswt.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\Public\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\WxmxcswO.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 26, 2022, 8:55 a.m.	thread_identifier: 2836 thread_handle: 0x00000088 process_identifier: 2832 current_directory: filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 26, 2022, 8:54 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x020a1000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 26, 2022, 8:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
cmdline	net session
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\WxmxcswO.bat

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 173c42312ca274ef732708784b7eb32d531dbc18

Allocates execute permission to another process indicative of possible code injection (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 512000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Wxmxcsw

reg_value

C:\Users\Public\wscxmxW.url

Deletes executed files from disk (1 event)

file

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2344 created a remote thread in non-child process 2516
CreateRemoteThread March 26, 2022, 8:55 a.m.	thread_identifier: 2552 process_identifier: 2516 function_address: 0x000b0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x0000055c	1	1400	0
CreateRemoteThread March 26, 2022, 8:55 a.m.	thread_identifier: 2556 process_identifier: 2516 function_address: 0x000d0000 flags: 0 stack_size: 0 parameter: 0x00020000 process_handle: 0x0000055c	1	1400	0
CreateRemoteThread March 26, 2022, 8:55 a.m.	thread_identifier: 2560 process_identifier: 2516 function_address: 0x00140000 flags: 0 stack_size: 0 parameter: 0x00130000 process_handle: 0x0000055c	1	1364	0
CreateRemoteThread March 26, 2022, 8:55 a.m.	thread_identifier: 2564 process_identifier: 2516 function_address: 0x00210000 flags: 0 stack_size: 0 parameter: 0x00200000 process_handle: 0x0000055c	1	1384	0

Manipulates memory of a non-child process indicative of process injection (13 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2344 manipulating memory of non-child process 2516
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 512000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0
NtAllocateVirtualMemory March 26, 2022, 8:55 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	1	0	0

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2344 injected into non-child 2516
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: hÿhÿ×IvÕ0wkernel32.dllÿTú,tù,¾tús¤ù,Éúspý~ù,laúsQyúspý~¤ù,:ús6;t4ú,mØûsüù,üù,ÿÿÿÿhú,Tú,Ö;%»%%Dú,è%%ú,dÙhÙDú,-´&5´&xú,B% base_address: 0x000b0000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: GetProcAddress base_address: 0x000c0000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: kernel32.dll base_address: 0x00010000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: Õ0w"vEv base_address: 0x00020000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh½&h,½&èÍªþÿPèÏªþÿEèh<½&h,½&èµªþÿPè·ªþÿEähL½&h,½&èªþÿPèªþÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº$¼&ÃèèûÿÿØÛtjÿSè>«þÿEôPSèªþÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x000d0000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: LoadLibraryA base_address: 0x00110000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: kernel32.dll base_address: 0x00120000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: Õ0w"vEv base_address: 0x00130000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh½&h,½&èÍªþÿPèÏªþÿEèh<½&h,½&èµªþÿPè·ªþÿEähL½&h,½&èªþÿPèªþÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº$¼&ÃèèûÿÿØÛtjÿSè>«þÿEôPSèªþÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00140000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: Y Y base_address: 0x00200000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0
WriteProcessMemory March 26, 2022, 8:55 a.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔÐ²&è=þÿ3ÀUh»&dÿ0d ÆEÿG<ÇEô»Ãj@h0Eô@PPEô@4ÃPè þÿEð}ðt0hjEðPèþÿj@h0Eô@PPEô@4ÃPVèò¬þÿEð}ðuû0vEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèî¬þÿjjMèºdº&Æè_ýÿÿÀtÆEÿ3ÀZYYdh »&EÔÐ²&èþÿÃ base_address: 0x00210000 process_identifier: 2516 process_handle: 0x0000055c	1	1	0

Network activity contains more than one unique useragent (2 events)

process	rc.exe				useragent	lVali
process	rc.exe				useragent	72

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2568 resumed a thread in remote process 2648
Process injection	Process 2648 resumed a thread in remote process 2832
NtResumeThread March 26, 2022, 8:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2648	1	0	0
NtResumeThread March 26, 2022, 8:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2832	1	0	0

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-noninteractive				value	Prevents creating an interactive prompt for the user

Generates some ICMP traffic

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.Multi.Generic.4!c
McAfee	Artemis!1098EEA1EE55
K7AntiVirus	Trojan ( 0058ff851 )
Alibaba	Trojan:Application/Generic.d8daf847
K7GW	Trojan ( 0058ff851 )
Cybereason	malicious.409a66
VirIT	Trojan.Win32.PSWStealer.DGV
Cyren	W32/BestaFera.D.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/TrojanDownloader.Delf.DIB
TrendMicro-HouseCall	TROJ_GEN.R002H0CCP22
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
APEX	Malicious
DrWeb	Trojan.DownLoader44.46874
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
VBA32	BScope.Trojan.Diple
Malwarebytes	Malware.AI.4213064724
Avast	Win32:PWSX-gen [Trj]
Rising	Trojan.Injector!8.C4 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EQPQ!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	194.5.98.107:6968
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49178

rc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All