SmartHawk

18.8

0-day

63 个模型检测该样本为恶意！

重新分析

下载样本

26b5032843219e59fe63b3723267765071a1a4e44e38124543748238a9212bfc

04cf3363afd99a805f7d4be02df9f87c.exe

分析耗时

129s

最近分析

文件大小

196.0KB

静态报毒动态报毒 100% A + TROJ AI SCORE=80 AIDETECTVM ANDROM BSCOPE CLASSIC CONFIDENCE CRIPACK DBSLF DOWNLOADER17 DXVF EGKU ELDORADO ERALRF FJZN GA270109 GEN7 GENCIRC GENETIC HIGH CONFIDENCE IHAF KCLOUD KRYPTIK LYKHMUK8FQO MALICIOUS PE MALWARE2 MASY MQ0@ASDS09RH P@6LEVBU PARIHAM SCORE SHIFU STATIC AI TESCRYPT TESLACRYPT TINBA UNSAFE UVPM XPACK ZBOT ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Trojan-FJZN!04CF3363AFD9	20201211	6.0.6.653
Alibaba	Backdoor:Win32/Pariham.f4d78479	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu	Win32.Trojan.Kryptik.auh	20190318	1.0.0.2
Avast	Win32:Shifu-D [Trj]	20201210	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10b0905d	20201211	1.0.0.1
Kingsoft	Win32.Hack.Androm.ih.(kcloud)	20201211	2017.9.26.565

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159077.200124 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Command line console output was observed (9 个事件)

Time & API	Arguments	Status	Return
1619159078.246876 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619159078.292876 WriteConsoleW	buffer: echo console_handle: 0x00000007	success	1
1619159078.308876 WriteConsoleW	buffer: xirjwwserukec console_handle: 0x00000007	success	1
1619159078.355876 WriteConsoleW	buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04cf3363afd99a805f7d4be02df9f87c.exe" console_handle: 0x00000007	success	1
1619159078.714876 WriteConsoleW	buffer: 另一个程序正在使用此文件，进程无法访问。 console_handle: 0x0000000b	success	1
1619159078.886876 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619159078.933876 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619159078.933876 WriteConsoleW	buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\erq318B.tmp.bat" console_handle: 0x00000007	success	1
1619159079.089876 WriteConsoleW	buffer: 找不到批处理文件。 console_handle: 0x0000000b	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159073.059124 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (50 out of 101 个事件)

Time & API	Arguments	Status
1619159058.465249 __exception__	stacktrace: WNetGetLastErrorA+0x10d WNetGetNetworkInformationA-0x2e9 mpr+0xa803 @ 0x7554a803 WNetGetUserA+0x37 WNetGetDirectoryTypeA-0x48 mpr+0xb3f6 @ 0x7554b3f6 04cf3363afd99a805f7d4be02df9f87c+0x2aedc @ 0x42aedc 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637560 registers.edi: 97 registers.eax: 0 registers.ebp: 1637580 registers.edx: 1637620 registers.ebx: 1968468876 registers.esi: 1637620 registers.ecx: 4294967295 exception.instruction_r: f2 ae f7 d1 81 f9 ff ff 00 00 76 05 b9 ff ff 00 exception.symbol: RtlInitAnsiString+0x1b RtlInitUnicodeString-0x1d ntdll+0x2e1eb exception.instruction: scasb al, byte ptr es:[edi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 188907 exception.address: 0x77d5e1eb	success
1619159058.481249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.481249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.481249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.481249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.481249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.481249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.481249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.497249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.512249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success
1619159058.528249 __exception__	stacktrace: NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe NotifyServiceStatusChangeA+0x133 ConvertSidToStringSidW-0x6b1 sechost+0xa250 @ 0x7757a250 QueryServiceObjectSecurity+0x31 SetServiceObjectSecurity-0x5c sechost+0x5125 @ 0x77575125 04cf3363afd99a805f7d4be02df9f87c+0x2b22d @ 0x42b22d 04cf3363afd99a805f7d4be02df9f87c+0x2aaa9 @ 0x42aaa9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1636632 registers.edi: 2002196262 registers.eax: 3644 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 1637772 registers.esi: 1 registers.ecx: 3644 exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2 exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98 exception.module: RPCRT4.dll exception.exception_code: 0xc0000005 exception.offset: 99282 exception.address: 0x75c883d2	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 3676 个事件)

Time & API	Arguments	Status
1619159058.606249 NtAllocateVirtualMemory	process_identifier: 2340 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a0000	success
1619159058.606249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 417792 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619159076.059249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0054c000	success
1619159076.059249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0054c000	success
1619159076.059249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0054c000	success
1619159076.059249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0054c000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0054c000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success
1619159076.075249 NtProtectVirtualMemory	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0058e000	success

A process attempted to delay the analysis task. (2 个事件)

description	svchost.exe tried to sleep 149 seconds, actually delayed analysis time by 149 seconds
description	inject-x86.exe tried to sleep 154 seconds, actually delayed analysis time by 154 seconds

Creates executable files on the filesystem (2 个事件)

file	C:\ProgramData\b7acc7b2.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\erq318B.tmp.bat

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\erq318B.tmp.bat

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159077.247249 ShellExecuteExW	parameters: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04cf3363afd99a805f7d4be02df9f87c.exe" filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\erq318B.tmp.bat filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\erq318B.tmp.bat show_type: 0	success	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 个事件)

Time & API	Arguments	Status	Return
1619159058.903249 Process32NextW	process_name: ﱄǼￄǼọ矚ꀀ绽ﱄǼ褺甫 snapshot_handle: 0x00000054 process_identifier: 260	failed	0
1619159077.559124 Process32NextW	process_name: snapshot_handle: 0x00000420 process_identifier: 1965849681	failed	0
1619159092.856124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 1965803803	failed	0
1619159123.512124 Process32NextW	process_name: GoogleCrashHandler.exe snapshot_handle: 0x00000450 process_identifier: 3428	success	1
1619159123.512124 Process32NextW	process_name: GoogleCrashHandler64.exe snapshot_handle: 0x00000450 process_identifier: 3436	success	1
1619159124.028124 Process32NextW	process_name: sppsvc.exe snapshot_handle: 0x00000450 process_identifier: 3444	success	1
1619159148.403124 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000390 process_identifier: 3924	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159078.934124 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.935194752611921

section

{'size_of_data': '0x0002b000', 'virtual_address': '0x00001000', 'entropy': 7.935194752611921, 'name': '.text', 'virtual_size': '0x0002a730'}

description

A section with a high entropy has been found

entropy

0.8958333333333334

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 147 个事件)

Time & API	Arguments	Status
1619159058.903249 Process32NextW	process_name: ﱄǼￄǼọ矚ꀀ绽ﱄǼ褺甫 snapshot_handle: 0x00000054 process_identifier: 260	failed
1619159058.934249 Process32NextW	process_name: ﱄǼￄǼọ矚ꀀ绽ﱄǼ褺甫 snapshot_handle: 0x00000054 process_identifier: 260	failed
1619159070.747249 Process32NextW	process_name: ﱄǼￄǼọ矚ꀀ绽ﱄǼ褺甫 snapshot_handle: 0x00000054 process_identifier: 260	failed
1619159081.559124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159082.090124 Process32NextW	process_name: snapshot_handle: 0x00000444 process_identifier: 0	failed
1619159082.684124 Process32NextW	process_name: snapshot_handle: 0x00000444 process_identifier: 0	failed
1619159083.200124 Process32NextW	process_name: snapshot_handle: 0x00000444 process_identifier: 0	failed
1619159083.700124 Process32NextW	process_name: snapshot_handle: 0x00000444 process_identifier: 0	failed
1619159084.215124 Process32NextW	process_name: snapshot_handle: 0x00000444 process_identifier: 0	failed
1619159084.731124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159085.231124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159085.825124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159086.356124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159086.872124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159087.450124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159087.997124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159088.512124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159089.043124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159089.559124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159090.075124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159090.684124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159091.215124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159091.747124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159092.278124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159093.653124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159094.184124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159094.715124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159095.247124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159095.762124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159096.293124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159096.809124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159097.325124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159097.840124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159098.356124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159098.887124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159099.418124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159099.918124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159100.434124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159100.950124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159101.481124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159101.997124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159102.497124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159103.028124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159103.528124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159104.043124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159104.543124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159105.059124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159105.575124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159106.122124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619159106.622124 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed

Created a process named as a common system process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159071.778249 CreateProcessInternalW	thread_identifier: 2852 thread_handle: 0x00000120 process_identifier: 2996 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: C:\ProgramData\b7acc7b2.exe filepath_r: C:\Windows\system32\svchost.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) process_handle: 0x00000124 inherit_handles: 0	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159070.637249 NtTerminateProcess	status_code: 0x00000000 process_identifier: 2132 process_handle: 0x00000054	failed	0	0
1619159070.637249 NtTerminateProcess	status_code: 0x00000000 process_identifier: 2132 process_handle: 0x00000054	success	0	0

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

C:\Users\Administrator.Oskar-PC\AppData\Local\erq318B.tmp.bat "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04cf3363afd99a805f7d4be02df9f87c.exe"

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: c85e4283a3134ebbfba4887f1439ce86607906af

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5

reg_value

rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\b7acc7b2.exe

Detects Avast Antivirus through the presence of a library (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159058.887249 LdrGetDllHandle	module_name: snxhk.dll stack_pivoted: 0 module_address: 0x00000000	failed	3221225781	0
1619159058.887249 LdrGetDllHandle	module_name: snxhk.dll stack_pivoted: 0 module_address: 0x00000000	failed	3221225781	0

Attempts to access Bitcoin/ALTCoin wallets (2 个事件)

file	C:\Users\Administrator.Oskar-PClitecoin\wallet.dat
file	C:\Users\Administrator.Oskar-PCbitcoin\wallet.dat

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159070.840249 RegSetValueExA	key_handle: 0x00000120 value: AP32YÌÔQÏ´M8Z8f qÿ¸Â@Âæºø´ Í!¸ëL This pr9ogamcn}?tbe¿=u~aiDOSømode. % $0CËÉêG¨`ÐøÃuâRÄ@Âñ¦S áÈ©5+øÆ>!ÁRichDDjÃPELp 8AÿUÇà!e èJáôCM8Dß)6tIáJj0N@+8ÑFz<$, \|7dð@D£pVÄpn.tex8ìÆ£Î È0 $`c° 1AàWÌ(ø.rdat $LF$åH](£@).'2Ö&PQDB4ñ À eloc"gJv(ûB\|ÿ°¹ÁVpx@Òuù+Æ÷ØÀÁ è²Y"0jh i)üÎgì£v¸hôpdI1DÌH¶°ÿäa6ÌUùÉ$ýVXWC12½0÷3ÿ ÀthüþßÌPWhàyXhVëÃèÂc:LuE&ÔªÈÁV3ö9=àtP¸ÿ 0èó+Fåµ98Àéè«·q÷¿ôo¤S^© Nä¦BÆ/}w"jqzÐy ~ê%GIHtvßH4Ì¶VDÒD©@W®øúàT< òInÄUDë ÃôIS >ð}ô;ü9Â-2;÷º,"òD±hy¼¨äuÏ¸ìg¬6-dVØaè]µy@~ü¤!púE;Ç"_MüQ PèÆÿø4rü+Ð¦ÅõèN^@!$¿·JD2 P¾ðH,8 Wjè{B½QÏÓµ èpjX^Ã Äw # VjpºMHûO§ßÊúzøÃEüGjÒ8A²fBº"àeÕkW)vlH)ÎÇ+Áÿ QÐLt8jÑÂàºDDy@dFVTPÏ¬AA«G@u{ôo5yrFï«¿ÓÓåÕG&÷ÙEô¥äÓ_^[ÉÂÂHñë!D¼=¬tñ ¿ud)Ý¶DHoµÔý¸àuÆ^]ÂVK¨Z6HF¨ÈVBMDjÌÁ¿p· (ºHRùÜ"Ä5Ü'ÔÖÖCXâÌ¦ÁÓM(Â¥Ö¡³ÔqØÛ.¿j\|ÞO-tÔyº°xS^ÉN8ã6Á¥' º@z"òøìÄ¯ÀatlýX ðºÌEÆ¶ÔS·h¦ªI 3=BãûÑÀ9 º´E 3![¬S¨ÚGðMÉÉ×AJÜ¾#E@OçøÃº2\|ss<¶DeüÿÇºú$PÎ"°åY3Ò÷ñ9øRSWDå0Ä98øèþ/ºÌ'zLPÛ @É+ Ât¾D¿oÖ.¬×,\| öëRþ2À¹©ó ªèx.ÕÊ¤ !AÃ÷Ø÷úuÀQ#Æ0ïuRìéuVÙe¯)ð#Át]&ÞLÉdßª¹T¸°£<¾Pø¯ÊrG5b38)¾ä9t ¡èé+ÈYª}àÇØ(-$8¿áhB_Agðö¾YT ³DÈQÈÛ¬¨6gñ&î$MàDØ/ÖÅP½hÎÊjx1ëèçwÀ¾x¥xFñrV¾ØpßWETÌ`á$2\,Vf6(ôPÇ®«ñ4:«:c¤"Ü¤L$@£ @uö,t·LuN2F+¡À 'w#@¾'7r3ÛÉ&@èÝ¼"Iüµ£yÄ±t#½Ä!r&E´¸^2ð~=Ò¸sSÍ¼Ë0ÜGVS[hYL¿ü;ÃuèSè8·çRÛ+ÜêSi £è=DôeSð]ç#ø2è!9]öâBÃ ©èih"ÿT"ëëÑe@Âm®¸oU%éeòLcX4è\|TºØuÚôz$àQÊqÀADÛÎQRP3ÀÂÞFÉju°eMôØ$]JG'$?ËøÂX¡¦èì @ëjîõ<}dô¢iæBm6:&N0B¼%ÜòDòJJ´9-4:è0ÿ-ÐU¸QÒâa#+Óc°¾ôRÙc-ó`ÜDçó:¤þôDi+j0ß»¹òÀ/ºD¦ðQhì¥`aõX!²u<H©¥6º($e1ìQøñ¨s×Ñh8o TèkKG1DeÈÈ ~g\øó5üí7ôÖó% S^»"Ö{±kAj(ää%º¬H×òEJí =>ÂîtôQÜf¾3·À1Íä®ÐMãã2àBá,/ÜÎi",¿¢@uÃXLÒélÄR£©$xZb¸+ùÒ(ÚýYôÂf(ÎjEÐ0´QÊVÜIè{(Ç¾¸`%Y³KÔ4ö^8ÔC!üÉæVNWãÇYB?úq1º<º°½ñJ<5B $Ð¹NÅÚó<0q3ö^S<{øÁÔ¢ÁKiúÈeþ ¸»h (Òaó$ \|¾,K#ý Âæ{CX¸XÁ,ðñCìX ø2¨ù¿Wª]äÐ ¸rä½Þ=À1»tJpÖèBAë(.¸ÇâjH½$×Bç¸ÂÉæL ü"~ ð;PV´v²:Ë%óº@\ì5Ìß¹ìfW'¥Ø:!Þô t¸`oâèêù2±^ôafn.HjH[Ë¾NqOVàèyEð¢q!@ø}äsxé{ð])lòîXP]øè¸l¾´Ò{#Ïïe[ÔXDt¿¸âeüJóÅÜWño«¢×ð2¯¶}ÆH`+EÖ0ú8ÚX9¬vMô<~¸CD @`;&rí}ë`7Ràünm]c¶hL$ºÀhÌ¼.üj@h k4³<¶Ä¢@jY¿ÐLÄfÑ§` ÿEü¸{«\fÀjZÊ¿SØ"s¦u!£dA;à8`é®fCÈ7èÜCð Çéy¤©²£ªCîÇ ÊM)`MÂ?èßJÀùü¶e¬#è=RÏ'ó¡>Mð! U&4Àë{H¥?ÉéuàO9Î=Ë¦ë: ¶aprÐvxxà\|)ãwO!uGîÀirödwu Ét(;%s [ 7uÂnï÷©¾Ï^{»Þú§Q}0,u ¸èo"ÉðYCÙFqÁ4é6Qp9 éµ¾r/"z& írrÚNBi¼µ8WDx¡(S6WUû9?<!%}üjO÷Te]1'ÉY`ü] ¾ø/~Ç¥f'ibúÓçøó¤ÒPØä¼Jè«ªtC?eÈüÎwº$ôìZ%aWÌ9ÙY0TðèæPï¶m( k)4ðiQy9÷1·jzô ÊècðRñ^W zÃÇ5Ji%8i´ìPå mÚmØd\|CtuUøçjguYZhÏãfÞ#ê¬ÿX0W3Ûh¨@Õ¬íÔè³3óS©]Ônd&ÊDr$Ö,«Æ¡õö¬oEpá"¡.ô¾2~+ní³üpOà;ûtºýðBè ë'S"w¤9'HµÐ ¶+\÷1&ÜkàmØäìðzOPzö®£"Ðý¡+Ø1 Dû¨dfì)ä dè1@3¤ØÄ àÔá`uÙMI4Bj]ÉÃx&k.zSr øâÚË÷Z O OÒ!m®õh³ÜNj,&@/æFdCÉÆDAf³ÎQÊÐIµl²"4GÈÍ @öSIWØ Ü9 üt @èP=ðµ};Fµ¬P8ÀC¥%Äýç¥d®lô+:@"óüVÎâs¤3öÒOtÄMéâÐ1C68P>ææ"ÈEÄÞã D²Ä%;ÆÝ"è Âé½ìû 7È+øA¨1ö(ðü Âèú+ÐÙ.iÆ àìûó°&S<Iá3EPNV5% úI¼Ö5èúÏü20Vd±¥ }Æº¼¨¿xî>X0»Ù÷Ië`dâôóp'Ó¥lµ Oq ¬@¬NµT²".ü¢ÅCï°ËPÄL¤EÿU5IøÂ/D]Qv¢¹" ;<§ $!ÍU*=~óí QqX»ÜPèUSoòSI)W< CPÀ>ðB;bÎÓ¸¤¦Ñ!7DP0Ð/"¬x26Z Ð[6äõ6óÙü'túxèGúÈ²ñ£èWV c"E%ì3TLèlC!D ¯{Ý+ Db8D>çÏQòå0hÀWÊdñè?$a°¼¥,Üú+ïÐSYðì5 \|Yc«è·üÑ"ùUÈÏhf#Éêt¶Vû{Rø{¤/¢x94taâ®Ä ¨rk&0#ºÔxëBºÐxDæá ëÉ¢-¡A3ì}ÅÇÍÜý#º°ueð9¡)ãÿó°9=( sòñ¨Í"+9§ðLÏü¨·Ð¬6DôÄpÊ.Äìå7b«ôÉ.=»dô²PtY×3b,îÂãÇ-åSU»,V´)J%¢2 oÌ;¾ QèÍ¶åH® regkey_r: 276f30da reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\276f30da	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\erq318B.tmp.bat

Disables proxy possibly for traffic interception (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159076.184124 RegSetValueExA	key_handle: 0x00000388 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (20 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2996 created a remote thread in non-child process 2340
Process injection	Process 2996 created a remote thread in non-child process 1324
Process injection	Process 2996 created a remote thread in non-child process 200
Process injection	Process 2996 created a remote thread in non-child process 368
Process injection	Process 2996 created a remote thread in non-child process 3228
Process injection	Process 2996 created a remote thread in non-child process 3664
Process injection	Process 2996 created a remote thread in non-child process 3788
Process injection	Process 2996 created a remote thread in non-child process 3924
1619159075.981124 CreateRemoteThread	thread_identifier: 0 process_identifier: 2340 function_address: 0x02cd114d flags: 0 process_handle: 0x00000348 parameter: 0x00000000 stack_size: 0	success	860	0
1619159077.622124 CreateRemoteThread	thread_identifier: 0 process_identifier: 1324 function_address: 0x0012114d flags: 0 process_handle: 0x00000448 parameter: 0x00000000 stack_size: 0	success	1116	0
1619159078.340124 CreateRemoteThread	thread_identifier: 0 process_identifier: 200 function_address: 0x0032114d flags: 0 process_handle: 0x00000450 parameter: 0x00000000 stack_size: 0	success	1308	0
1619159080.497124 CreateRemoteThread	thread_identifier: 0 process_identifier: 368 function_address: 0x0032114d flags: 0 process_handle: 0x0000053c parameter: 0x00000000 stack_size: 0	success	1348	0
1619159119.903124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3228 function_address: 0x0032114d flags: 0 process_handle: 0x00000534 parameter: 0x00000000 stack_size: 0	success	1340	0
1619159139.122124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3664 function_address: 0x003c114d flags: 0 process_handle: 0x000003dc parameter: 0x00000000 stack_size: 0	success	1360	0
1619159143.528124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3788 function_address: 0x0032114d flags: 0 process_handle: 0x00000550 parameter: 0x00000000 stack_size: 0	failed	0	0
1619159143.778124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3788 function_address: 0x0039114d flags: 0 process_handle: 0x00000554 parameter: 0x00000000 stack_size: 0	failed	0	0
1619159144.043124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3788 function_address: 0x009d114d flags: 0 process_handle: 0x00000550 parameter: 0x00000000 stack_size: 0	failed	0	0
1619159144.293124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3788 function_address: 0x00a1114d flags: 0 process_handle: 0x00000554 parameter: 0x00000000 stack_size: 0	failed	0	0
1619159144.637124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3788 function_address: 0x00a5114d flags: 0 process_handle: 0x00000550 parameter: 0x00000000 stack_size: 0	failed	0	0
1619159148.715124 CreateRemoteThread	thread_identifier: 0 process_identifier: 3924 function_address: 0x0032114d flags: 0 process_handle: 0x00000550 parameter: 0x00000000 stack_size: 0	success	1372	0

Manipulates memory of a non-child process indicative of process injection (26 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2996 manipulating memory of non-child process 2340
Process injection	Process 2996 manipulating memory of non-child process 1324
Process injection	Process 2996 manipulating memory of non-child process 200
Process injection	Process 2996 manipulating memory of non-child process 368
Process injection	Process 2996 manipulating memory of non-child process 3228
Process injection	Process 2996 manipulating memory of non-child process 3664
Process injection	Process 2996 manipulating memory of non-child process 3788
Process injection	Process 2996 manipulating memory of non-child process 0
Process injection	Process 2996 manipulating memory of non-child process 3924
1619159075.950124 NtMapViewOfSection	section_handle: 0x00000354 process_identifier: 2340 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000348 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x02cd0000	success	0	0
1619159077.590124 NtMapViewOfSection	section_handle: 0x0000044c process_identifier: 1324 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000448 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00120000	success	0	0
1619159077.653124 NtMapViewOfSection	section_handle: 0x00000454 process_identifier: 200 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000450 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00320000	success	0	0
1619159079.543124 NtMapViewOfSection	section_handle: 0x00000540 process_identifier: 368 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x0000053c allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00320000	success	0	0
1619159118.668124 NtMapViewOfSection	section_handle: 0x00000538 process_identifier: 3228 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000534 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00320000	success	0	0
1619159137.372124 NtMapViewOfSection	section_handle: 0x000003e8 process_identifier: 3664 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x000003dc allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x003c0000	success	0	0
1619159142.637124 NtMapViewOfSection	section_handle: 0x00000554 process_identifier: 3788 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000550 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00320000	success	0	0
1619159143.528124 NtUnmapViewOfSection	process_identifier: 0 region_size: 0 process_handle: 0x00000550 base_address: 0x00320000	failed	3221225480	0
1619159143.747124 NtMapViewOfSection	section_handle: 0x00000550 process_identifier: 3788 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000554 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00390000	success	0	0
1619159143.793124 NtUnmapViewOfSection	process_identifier: 0 region_size: 0 process_handle: 0x00000554 base_address: 0x00390000	failed	3221225480	0
1619159144.012124 NtMapViewOfSection	section_handle: 0x00000554 process_identifier: 3788 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000550 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x009d0000	success	0	0
1619159144.059124 NtUnmapViewOfSection	process_identifier: 0 region_size: 0 process_handle: 0x00000550 base_address: 0x009d0000	failed	3221225480	0
1619159144.262124 NtMapViewOfSection	section_handle: 0x00000550 process_identifier: 3788 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000554 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00a10000	success	0	0
1619159144.309124 NtUnmapViewOfSection	process_identifier: 0 region_size: 0 process_handle: 0x00000554 base_address: 0x00a10000	failed	3221225480	0
1619159144.575124 NtMapViewOfSection	section_handle: 0x00000554 process_identifier: 3788 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000550 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00a50000	success	0	0
1619159144.668124 NtUnmapViewOfSection	process_identifier: 0 region_size: 0 process_handle: 0x00000550 base_address: 0x00a50000	failed	3221225480	0
1619159148.418124 NtMapViewOfSection	section_handle: 0x00000558 process_identifier: 3924 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000550 allocation_type: 0 () section_offset: 0 view_size: 200704 base_address: 0x00320000	success	0	0

Potential code injection by writing to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619159071.778249 WriteProcessMemory	process_identifier: 2996 buffer: ÿÿÿÿ process_handle: 0x00000124 base_address: 0x0009f8ac	success	1	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619159081.622124 RegSetValueExA	key_handle: 0x00000450 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619159081.622124 RegSetValueExA	key_handle: 0x00000450 value: Pôlö8× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619159081.622124 RegSetValueExA	key_handle: 0x00000450 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619159081.622124 RegSetValueExW	key_handle: 0x00000450 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619159081.637124 RegSetValueExA	key_handle: 0x00000444 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619159081.637124 RegSetValueExA	key_handle: 0x00000444 value: Pôlö8× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619159081.637124 RegSetValueExA	key_handle: 0x00000444 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619159081.762124 RegSetValueExW	key_handle: 0x00000454 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Network activity contains more than one unique useragent (2 个事件)

process	svchost.exe				useragent	Internal
process	svchost.exe				useragent	Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2007-05-08 21:35:33

Imports

Library ADVAPI32.dll:

• 0x42c000 AccessCheck

• 0x42c004 RegSaveKeyA

• 0x42c008 LsaAddAccountRights

• 0x42c00c QueryServiceObjectSecurity

Library MPR.dll:

• 0x42c048 WNetGetUserA

Library USER32.dll:

• 0x42c050 SetClipboardData

• 0x42c054 GetKeyboardType

• 0x42c058 EnumChildWindows

• 0x42c05c DdeAbandonTransaction

• 0x42c060 SetMenu

• 0x42c064 ToAscii

• 0x42c068 SetForegroundWindow

Library pdh.dll:

• 0x42c20c PdhGetCounterInfoA

• 0x42c210 PdhAddCounterW

• 0x42c214 PdhOpenLogW

• 0x42c218 PdhGetDefaultPerfCounterW

• 0x42c21c PdhGetDefaultPerfCounterA

• 0x42c220 PdhComputeCounterStatistics

Library msvcrt.dll:

• 0x42c1cc _initterm

• 0x42c1d0 _controlfp

• 0x42c1d4 __set_app_type

• 0x42c1d8 __p__fmode

• 0x42c1dc __p__commode

• 0x42c1e0 _adjust_fdiv

• 0x42c1e4 __setusermatherr

• 0x42c1e8 _except_handler3

• 0x42c1ec __getmainargs

• 0x42c1f0 _c_exit

• 0x42c1f4 _exit

• 0x42c1f8 _acmdln

• 0x42c1fc exit

• 0x42c200 _cexit

• 0x42c204 _XcptFilter

Library WINMM.dll:

• 0x42c070 waveInGetDevCapsW

• 0x42c074 midiStreamPosition

• 0x42c078 mmioAdvance

• 0x42c07c joyReleaseCapture

• 0x42c080 midiStreamOut

• 0x42c084 waveInMessage

• 0x42c088 midiInOpen

• 0x42c08c mmioOpenW

• 0x42c090 mmioWrite

• 0x42c094 midiInUnprepareHeader

• 0x42c098 waveInClose

• 0x42c09c midiInAddBuffer

• 0x42c0a0 midiOutCachePatches

• 0x42c0a4 CloseDriver

• 0x42c0a8 joyGetDevCapsA

• 0x42c0ac midiOutSetVolume

• 0x42c0b0 mixerClose

• 0x42c0b4 midiOutGetErrorTextW

• 0x42c0b8 waveOutPrepareHeader

• 0x42c0bc midiStreamStop

• 0x42c0c0 mmioDescend

• 0x42c0c4 mciGetErrorStringA

• 0x42c0c8 midiInGetErrorTextA

• 0x42c0cc sndPlaySoundW

• 0x42c0d0 mmioAscend

• 0x42c0d4 waveOutGetNumDevs

• 0x42c0d8 midiInStart

• 0x42c0dc DefDriverProc

• 0x42c0e0 mmioStringToFOURCCA

• 0x42c0e4 mixerGetLineControlsW

• 0x42c0e8 mixerOpen

• 0x42c0ec waveInUnprepareHeader

• 0x42c0f0 timeKillEvent

• 0x42c0f4 waveInStop

• 0x42c0f8 mmioOpenA

• 0x42c0fc midiOutGetID

• 0x42c100 midiInPrepareHeader

• 0x42c104 mixerGetLineInfoA

• 0x42c108 waveOutBreakLoop

• 0x42c10c mixerGetLineControlsA

• 0x42c110 mixerGetControlDetailsW

• 0x42c114 midiOutGetErrorTextA

• 0x42c118 waveOutSetPlaybackRate

• 0x42c11c SendDriverMessage

• 0x42c120 mixerSetControlDetails

• 0x42c124 mmioSendMessage

• 0x42c128 mixerGetID

• 0x42c12c midiOutReset

• 0x42c130 midiInGetDevCapsW

• 0x42c134 mixerMessage

• 0x42c138 waveOutClose

• 0x42c13c mciGetErrorStringW

• 0x42c140 timeSetEvent

• 0x42c144 midiOutShortMsg

• 0x42c148 mmioCreateChunk

• 0x42c14c joyGetNumDevs

• 0x42c150 mmioFlush

• 0x42c154 mmioStringToFOURCCW

• 0x42c158 joySetCapture

• 0x42c15c waveInGetID

• 0x42c160 mixerGetControlDetailsA

• 0x42c164 mciSendCommandW

• 0x42c168 PlaySoundA

• 0x42c16c mciSendStringW

• 0x42c170 midiInGetNumDevs

• 0x42c174 mixerGetNumDevs

• 0x42c178 mmioGetInfo

• 0x42c17c waveOutGetID

• 0x42c180 mmioRead

• 0x42c184 GetDriverModuleHandle

• 0x42c188 midiOutLongMsg

• 0x42c18c joyGetPos

• 0x42c190 waveInGetDevCapsA

• 0x42c194 joySetThreshold

• 0x42c198 midiInMessage

• 0x42c19c OpenDriver

• 0x42c1a0 midiOutOpen

• 0x42c1a4 timeGetDevCaps

• 0x42c1a8 midiStreamRestart

• 0x42c1ac waveInOpen

• 0x42c1b0 midiInReset

• 0x42c1b4 timeGetTime

• 0x42c1b8 midiOutGetDevCapsA

• 0x42c1bc waveOutGetErrorTextW

• 0x42c1c0 midiOutCacheDrumPatches

• 0x42c1c4 mixerGetDevCapsA

Library KERNEL32.dll:

• 0x42c014 GetStartupInfoA

• 0x42c018 GetModuleHandleA

• 0x42c01c GetAtomNameA

• 0x42c020 GlobalHandle

• 0x42c024 GetWindowsDirectoryA

• 0x42c028 GlobalFindAtomA

• 0x42c02c DefineDosDeviceW

• 0x42c030 GetStringTypeExA

• 0x42c034 GetTempFileNameW

• 0x42c038 GetAtomNameW

• 0x42c03c ClearCommError

• 0x42c040 CreateEventA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
download.windowsupdate.com	A 106.7.64.1 A 222.216.123.6 CNAME k256.gslb.ksyuncdn.com A 124.229.60.6 A 116.11.67.6 CNAME 2-01-3cf7-0009.cdx.cedexis.net A 117.21.217.1 A 115.231.33.1 A 119.96.211.1 CNAME www.download.windowsupdate.com.download.ks-cdn.com A 124.229.53.1 CNAME wu-fg-shim.trafficmanager.net	222.216.123.6
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
adtejoyo1377.tk
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.