popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66e095f996804_111.exe

RedLine Infostealer Suspicious_Script_Bin Generic Malware UltraVNC UPX Downloader Malicious Library Code injection DGA Escalate priviledges Hijack Network Create Service Sniff Audio Internet API ScreenShot Http API HTTP DNS PWS Steal credential Socket
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 11, 2024, 9:53 a.m. Sept. 11, 2024, 9:57 a.m.
Size 1.6MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 84696a854747864cc51653cb5d843a2a
SHA256 2ec15fc6c4dfa14162599fd7d46a8c513280ab7dc3a2bb5d7d279f7a10a96697
CRC32 48505B5C
ssdeep 49152:V5OneYHloH3HlcGbDss/fvpvJuUHOi0i7hQ5:V5eeYHa1c6DssxU6OXi7e
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
107.189.171.131 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2046045 ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) A Network Trojan was detected
TCP 107.189.171.131:14307 -> 192.168.56.101:49170 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 107.189.171.131:14307 -> 192.168.56.101:49170 2046056 ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 107.189.171.131:14307 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) moved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: R=L
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: poQFOther
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Zoophilia Sonic Albuquerque Cv Athletes
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'poQFOther' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: OhOfficial
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'OhOfficial' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: WNvHotmail
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Organisations Faced Festival Hl Flex Seo Foo Independent
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'WNvHotmail' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: xpePhotographs
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Distinct Lat Ist Arabic Upload Bull Core Jpeg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'xpePhotographs' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: YBleRichard
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Boxing
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'YBleRichard' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: uRMBDoors
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Clubs Drivers Contacts Ix
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'uRMBDoors' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: FIwEvident
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Frank Flood Welding Irc Query Js
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'FIwEvident' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: kiDzChildhood
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Reviews Contacts Powerful Legislation Improve Audience Crime
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'kiDzChildhood' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Compute=l
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: kfOMOt
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Symposium Biographies U Shift Talk
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'kfOMOt' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: POHjZinc
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Longitude Going Tucson Threads Durham
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'POHjZinc' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: vgBlanket
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Cure Warriors Ld Calibration Decision Moves Repair Climbing
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'vgBlanket' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecaa0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecaa0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed520
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed520
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed6e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05e66088
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05e66088
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05e65f48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
resource name PNG
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 07 66 0f 7f 47 10 66 0f 7f 47 20 66 0f
exception.symbol: 2+0xefe7
exception.address: 0x40efe7
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61415
registers.esp: 1636976
registers.edi: 4465840
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1476
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4468656
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1454
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4472752
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1422
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4476848
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1390
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4480944
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1358
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4485040
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1326
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4489136
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1294
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4493232
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1262
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4497328
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1230
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4501424
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1198
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4505520
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1166
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4509616
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1134
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4513712
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1102
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4517808
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1070
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4521904
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1038
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4526000
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 1006
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4530096
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 974
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4534192
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 942
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4538288
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 910
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4542384
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 878
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4546480
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 846
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4550576
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 814
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4554672
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 782
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4558768
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 750
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4562864
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 718
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4566960
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 686
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4571056
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 654
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4575152
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 622
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4579248
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 590
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4583344
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 558
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4587440
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 526
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4591536
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 494
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4595632
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 462
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4599728
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 430
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4603824
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 398
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4607920
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 366
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4612016
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 334
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4616112
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 302
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4620208
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 270
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4624304
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 238
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4628400
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 206
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4632496
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 174
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4636592
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 142
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4640688
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 110
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4644784
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 78
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4648880
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 46
1 0 0

__exception__

 stacktrace: 
2+0xf054 @ 0x40f054
2+0x1fa2 @ 0x401fa2

exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d
exception.symbol: 2+0xefff
exception.address: 0x40efff
exception.module: 2.exe
exception.exception_code: 0xc0000005
exception.offset: 61439
registers.esp: 1636976
registers.edi: 4652976
registers.eax: 4465840
registers.ebp: 1636980
registers.edx: 91
registers.ebx: 0
registers.esi: 31719496
registers.ecx: 14
1 0 0

__exception__

 stacktrace: 
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72481838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72481737
mscorlib+0x2d3711 @ 0x71713711
mscorlib+0x308f2d @ 0x71748f2d
mscorlib+0x3133fd @ 0x717533fd
mscorlib+0x9873b1 @ 0x71dc73b1
mscorlib+0x97b352 @ 0x71dbb352
DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72402a8e
DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x724fcd14
0x1e2a062
2+0x2403 @ 0x402403

exception.instruction_r: 8b 01 8b 40 38 ff 50 14 8b 15 3c 21 4b 03 8b c8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x49002a6
registers.esp: 1635236
registers.edi: 38494912
registers.eax: 0
registers.ebp: 1635272
registers.edx: 38488360
registers.ebx: 38488360
registers.esi: 13
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x63e0306
0x63e00be
0x55d9615
0x55d91ee
0x490f4e3
0x490ef6d
0x490eed0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72481838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72481737
mscorlib+0x2d3711 @ 0x71713711
mscorlib+0x308f2d @ 0x71748f2d
0x49003cb
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72481838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72481737
mscorlib+0x2d3711 @ 0x71713711
mscorlib+0x308f2d @ 0x71748f2d
mscorlib+0x3133fd @ 0x717533fd
mscorlib+0x9873b1 @ 0x71dc73b1
mscorlib+0x97b352 @ 0x71dbb352
DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72402a8e
DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x724fcd14
0x1e2a062
2+0x2403 @ 0x402403

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x63e0430
registers.esp: 1633116
registers.edi: 1633168
registers.eax: 0
registers.ebp: 1633180
registers.edx: 2918472
registers.ebx: 1634804
registers.esi: 40199600
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x63e4b6e
0x63e4a27
0x63e4925
0x63e2ad6
0x63e0a9d
0x63e0967
0x55d96dd
0x55d91ee
0x490f4e3
0x490ef6d
0x490eed0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72481838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72481737
mscorlib+0x2d3711 @ 0x71713711
mscorlib+0x308f2d @ 0x71748f2d
0x49003cb
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72481838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72481737
mscorlib+0x2d3711 @ 0x71713711
mscorlib+0x308f2d @ 0x71748f2d
mscorlib+0x3133fd @ 0x717533fd
mscorlib+0x9873b1 @ 0x71dc73b1
mscorlib+0x97b352 @ 0x71dbb352
DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72402a8e
DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x724fcd14
0x1e2a062
2+0x2403 @ 0x402403

exception.instruction_r: 39 09 ff 15 b8 2c 98 04 89 85 44 ff ff ff 8b 85
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x63e5546
registers.esp: 1631612
registers.edi: 1631852
registers.eax: 0
registers.ebp: 1631864
registers.edx: 77081672
registers.ebx: 1634804
registers.esi: 40728144
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fd0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c90000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72402000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02470000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e2a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e2c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f8c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fa7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04900000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fa5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f8d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f8e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04901000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0490d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f96000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f9a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f97000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0490e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f8a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0490f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f9b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f9c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff48000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff48000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f9d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f98000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0606f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Windows\Temp\2.exe
file C:\Windows\Temp\1.exe
file C:\Users\test22\AppData\Local\Temp\787871\Trade.pif
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\test22\AppData\Roaming\Microsoft
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
3221225525 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
3221225525 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
3221225525 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
3221225525 0
cmdline "C:\Windows\System32\cmd.exe" /c move Glucose Glucose.bat & Glucose.bat
file C:\Windows\Temp\1.exe
file C:\Windows\Temp\2.exe
file C:\Users\test22\AppData\Local\Temp\787871\Trade.pif
file C:\Users\test22\AppData\Local\Temp\787871\Trade.pif
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c move Glucose Glucose.bat & Glucose.bat
filepath: cmd
1 1 0
section {u'size_of_data': u'0x0000e200', u'virtual_address': u'0x0005d000', u'entropy': 6.802287495720708, u'name': u'.rsrc', u'virtual_size': u'0x0000e034'} entropy 6.80228749572 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x000003e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: ENTERPRISE
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: IE5BAKEX
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: IEData
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: MobileOptionPack
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SchedulingAgent
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: WIC
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0015-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0016-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0018-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0019-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001A-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001B-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001F-0409-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001F-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0028-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-002C-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0030-0000-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0044-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-006E-0409-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-006E-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-00A1-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0114-0412-0000-0000000FF1CE}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d}
base_handle: 0x000003e4
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
1 0 0
cmdline tasklist
cmdline cmd /c move Glucose Glucose.bat & Glucose.bat
cmdline "C:\Windows\System32\cmd.exe" /c move Glucose Glucose.bat & Glucose.bat
wmi SELECT * FROM Win32_Processor
host 107.189.171.131
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
wmi SELECT * FROM Win32_VideoController
wmi SELECT * FROM AntivirusProduct
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_Process Where SessionId='1'
wmi SELECT * FROM Win32_Process
wmi SELECT * FROM AntiSpyWareProduct
wmi SELECT * FROM FirewallProduct
wmi SELECT * FROM Win32_DiskDrive
wmi SELECT * FROM Win32_Processor
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob
Process injection Process 3012 resumed a thread in remote process 2432
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2432
1 0 0
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.tc
ALYac Dump:Generic.Dacic.6D6C5790.A.AAF4F7E2
Cylance Unsafe
VIPRE Dump:Generic.Dacic.6D6C5790.A.AAF4F7E2
BitDefender Dump:Generic.Dacic.6D6C5790.A.AAF4F7E2
Cybereason malicious.547478
Arcabit Dump:Generic.Dacic.6D6C5790.A.AAF4F7E2
ESET-NOD32 a variant of MSIL/Spy.Agent.CVT
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Packed.Redline-10009299-0
Kaspersky UDS:Trojan-Spy.Win32.Stealer.gen
MicroWorld-eScan Dump:Generic.Dacic.6D6C5790.A.AAF4F7E2
Emsisoft Dump:Generic.Dacic.6D6C5790.A.AAF4F7E2 (B)
FireEye Generic.mg.84696a854747864c
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious SFX
Google Detected
MAX malware (ai score=80)
Antiy-AVL Trojan/Win32.AdLoad.bh
Kingsoft malware.kb.a.967
Gridinsoft Trojan.Win32.RedLine.mz!n
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm UDS:Trojan-Spy.Win32.Stealer.gen
GData Dump:Generic.Dacic.6D6C5790.A.AAF4F7E2
Varist W32/S-8ed38c1a!Eldorado
DeepInstinct MALICIOUS
Malwarebytes Trojan.MalPack.MSIL
Ikarus Trojan.MSIL.Crypt
MaxSecure Trojan.Malware.121218.susgen
AVG Win32:Malware-gen
CrowdStrike win/malicious_confidence_60% (D)