12.6
0-day
55 个模型检测该样本为恶意!
重新分析
更多

c6e6f26516053badbfcd313f80de7b43ef234026fb8317e9855e6a55b80f835d

a6232e5060608d255adb79681bba40cc.exe

分析耗时

124s

最近分析

文件大小

214.1KB
静态报毒 动态报毒 100% 5HQHJN1KTLU AGEN AI SCORE=84 AIDETECTVM ATTRIBUTE AZDE AZRE@4XKXXY CONFIDENCE CPBI CUWHEE ENCPK HIGH CONFIDENCE HIGHCONFIDENCE HUY1IZKBPRW IRCBOT KCLOUD KRYPTIK MALICIOUS PE MALWARE1 NY1@A0AM4BES R64076 RAZY SCORE STATIC AI TEPFER UNDEFINED UNSAFE YAKES ZBOT ZEUS ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Downloader-TAL [Trj] 20201210 21.1.5827.0
Alibaba 20190527 0.3.0.5
Tencent 20201211 1.0.0.1
Kingsoft Win32.Troj.Yakes.cp.(kcloud) 20201211 2017.9.26.565
McAfee Agent-FCC!A6232E506060 20201211 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619795580.855125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (50 out of 1213 个事件)
Time & API Arguments Status Return Repeated
1619795595.792125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.808125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.823125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.823125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.839125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.839125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.855125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.855125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.870125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.870125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.870125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.870125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.886125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.886125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.886125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.886125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.902125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.902125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.917125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.917125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.933125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.933125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.948125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.948125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.948125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.948125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795595.995125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795595.995125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.011125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.011125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.042125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.042125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.058125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.058125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.073125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.073125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.073125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.073125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.089125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.089125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.105125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.105125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.120125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.120125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.136125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.136125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.152125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.152125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619795596.167125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
console_handle: 0x00000007
success 1 0
1619795596.167125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619795580.839125
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (12 个事件)
Time & API Arguments Status Return Repeated
1619795657.245125
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x37c GetServiceKeyNameA-0x9d7 advapi32+0x611bd @ 0x765a11bd
RegSetKeyValueA+0x250 RegLoadAppKeyW-0x13c advapi32+0x5fadb @ 0x7659fadb
GetProfileStringW+0x1072d EnumResourceNamesW-0x35488 kernel32+0x4dcd9 @ 0x7638dcd9
_install+0xa796 @ 0x25aff73
SHQueryInfoKeyW+0x23 SHEnumValueW-0x9 shlwapi+0xcaf4 @ 0x776bcaf4
CoInternetCreateZoneManager+0x1d27 IEDllLoader-0x4501 urlmon+0x10404 @ 0x77720404
CoInternetCreateZoneManager+0x1d8c IEDllLoader-0x449c urlmon+0x10469 @ 0x77720469
CoInternetCreateZoneManager+0x27b7 IEDllLoader-0x3a71 urlmon+0x10e94 @ 0x77720e94
CoInternetCreateZoneManager+0x2a90 IEDllLoader-0x3798 urlmon+0x1116d @ 0x7772116d
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x74019303
_install+0x5220 @ 0x25aa9fd
_install+0x552e @ 0x25aad0b
baseConfigSource+0xbc8c _threadEntry-0x3444 @ 0x25a1944
baseConfigSource+0xcdf4 _threadEntry-0x22dc @ 0x25a2aac
_install+0x8939 @ 0x25ae116
_threadEntry+0xd9 _install-0x97c @ 0x25a4e61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40886396
registers.edi: 1985477926
registers.eax: 1467647848
registers.ebp: 40886436
registers.edx: 0
registers.ebx: 40887536
registers.esi: 1
registers.ecx: 1467647848
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795657.261125
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x4d4 GetServiceKeyNameA-0x87f advapi32+0x61315 @ 0x765a1315
GetProfileStringW+0xfdda EnumResourceNamesW-0x35ddb kernel32+0x4d386 @ 0x7638d386
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x74019303
_install+0x5220 @ 0x25aa9fd
_install+0x552e @ 0x25aad0b
baseConfigSource+0xbc8c _threadEntry-0x3444 @ 0x25a1944
baseConfigSource+0xcdf4 _threadEntry-0x22dc @ 0x25a2aac
_install+0x8939 @ 0x25ae116
_threadEntry+0xd9 _install-0x97c @ 0x25a4e61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40887000
registers.edi: 1985478544
registers.eax: 1467647848
registers.ebp: 40887040
registers.edx: 0
registers.ebx: 40888140
registers.esi: 1
registers.ecx: 1467647848
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795657.261125
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x2a5 GetServiceKeyNameA-0xaae advapi32+0x610e6 @ 0x765a10e6
RegSetKeyValueA+0x1b8 RegLoadAppKeyW-0x1d4 advapi32+0x5fa43 @ 0x7659fa43
GetProfileStringW+0xff0b EnumResourceNamesW-0x35caa kernel32+0x4d4b7 @ 0x7638d4b7
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x74019303
_install+0x5220 @ 0x25aa9fd
_install+0x552e @ 0x25aad0b
baseConfigSource+0xbc8c _threadEntry-0x3444 @ 0x25a1944
baseConfigSource+0xcdf4 _threadEntry-0x22dc @ 0x25a2aac
_install+0x8939 @ 0x25ae116
_threadEntry+0xd9 _install-0x97c @ 0x25a4e61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40886924
registers.edi: 1985477542
registers.eax: 1467647848
registers.ebp: 40886964
registers.edx: 0
registers.ebx: 40888064
registers.esi: 1
registers.ecx: 1467647848
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795657.261125
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x4d4 GetServiceKeyNameA-0x87f advapi32+0x61315 @ 0x765a1315
GetProfileStringW+0xfdda EnumResourceNamesW-0x35ddb kernel32+0x4d386 @ 0x7638d386
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x74019303
_install+0x5220 @ 0x25aa9fd
_install+0x552e @ 0x25aad0b
baseConfigSource+0xbc8c _threadEntry-0x3444 @ 0x25a1944
baseConfigSource+0xcdf4 _threadEntry-0x22dc @ 0x25a2aac
_install+0x8939 @ 0x25ae116
_threadEntry+0xd9 _install-0x97c @ 0x25a4e61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40887000
registers.edi: 1985478544
registers.eax: 1467647848
registers.ebp: 40887040
registers.edx: 0
registers.ebx: 40888140
registers.esi: 1
registers.ecx: 1467647848
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795657.261125
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x2a5 GetServiceKeyNameA-0xaae advapi32+0x610e6 @ 0x765a10e6
RegSetKeyValueA+0x1b8 RegLoadAppKeyW-0x1d4 advapi32+0x5fa43 @ 0x7659fa43
GetProfileStringW+0xff0b EnumResourceNamesW-0x35caa kernel32+0x4d4b7 @ 0x7638d4b7
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x74019303
_install+0x5220 @ 0x25aa9fd
_install+0x552e @ 0x25aad0b
baseConfigSource+0xbc8c _threadEntry-0x3444 @ 0x25a1944
baseConfigSource+0xcdf4 _threadEntry-0x22dc @ 0x25a2aac
_install+0x8939 @ 0x25ae116
_threadEntry+0xd9 _install-0x97c @ 0x25a4e61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40886924
registers.edi: 1985477542
registers.eax: 1467647848
registers.ebp: 40886964
registers.edx: 0
registers.ebx: 40888064
registers.esi: 1
registers.ecx: 1467647848
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795657.261125
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x765a100f
GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x7638c8e3
_install+0xa303 @ 0x25afae0
GetPortFromUrlScheme+0x53fe DllGetClassObject-0x1f2 urlmon+0xbc8c @ 0x7771bc8c
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x74019303
_install+0x5220 @ 0x25aa9fd
_install+0x552e @ 0x25aad0b
baseConfigSource+0xbc8c _threadEntry-0x3444 @ 0x25a1944
baseConfigSource+0xcdf4 _threadEntry-0x22dc @ 0x25a2aac
_install+0x8939 @ 0x25ae116
_threadEntry+0xd9 _install-0x97c @ 0x25a4e61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40887312
registers.edi: 1985477242
registers.eax: 1467647848
registers.ebp: 40887352
registers.edx: 0
registers.ebx: 40888452
registers.esi: 1
registers.ecx: 1467647848
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795600.667875
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x37c GetServiceKeyNameA-0x9d7 advapi32+0x611bd @ 0x765a11bd
RegSetKeyValueA+0x250 RegLoadAppKeyW-0x13c advapi32+0x5fadb @ 0x7659fadb
GetProfileStringW+0x1072d EnumResourceNamesW-0x35488 kernel32+0x4dcd9 @ 0x7638dcd9
_install+0xa796 @ 0x25aff73
SHQueryInfoKeyW+0x23 SHEnumValueW-0x9 shlwapi+0xcaf4 @ 0x776bcaf4
CoInternetCreateZoneManager+0x1d27 IEDllLoader-0x4501 urlmon+0x10404 @ 0x77720404
CoInternetCreateZoneManager+0x1d8c IEDllLoader-0x449c urlmon+0x10469 @ 0x77720469
CoInternetCreateZoneManager+0x27b7 IEDllLoader-0x3a71 urlmon+0x10e94 @ 0x77720e94
CoInternetCreateZoneManager+0x2a90 IEDllLoader-0x3798 urlmon+0x1116d @ 0x7772116d
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
IEInPrivateFilteringEnabled+0x52c8a SetQueryNetSessionCount-0x6d5e3 ieframe+0xbacd2 @ 0x7201acd2
IEInPrivateFilteringEnabled+0x52d1e SetQueryNetSessionCount-0x6d54f ieframe+0xbad66 @ 0x7201ad66
IEInPrivateFilteringEnabled+0x455fe SetQueryNetSessionCount-0x7ac6f ieframe+0xad646 @ 0x7200d646
IEInPrivateFilteringEnabled+0x4545d SetQueryNetSessionCount-0x7ae10 ieframe+0xad4a5 @ 0x7200d4a5
CreateURLMonikerEx+0x3373 FindMediaType-0x1970 urlmon+0x1ad10 @ 0x7772ad10
CreateURLMonikerEx+0x310b FindMediaType-0x1bd8 urlmon+0x1aaa8 @ 0x7772aaa8
CreateURLMonikerEx+0x2aa5 FindMediaType-0x223e urlmon+0x1a442 @ 0x7772a442
CreateURLMonikerEx+0x28d5 FindMediaType-0x240e urlmon+0x1a272 @ 0x7772a272
CreateFormatEnumerator+0x166 CoInternetParseIUri-0x75d urlmon+0x355b6 @ 0x777455b6
IEInPrivateFilteringEnabled+0x452d6 SetQueryNetSessionCount-0x7af97 ieframe+0xad31e @ 0x7200d31e
IEInPrivateFilteringEnabled+0x44bac SetQueryNetSessionCount-0x7b6c1 ieframe+0xacbf4 @ 0x7200cbf4
IEInPrivateFilteringEnabled+0x34ea3 SetQueryNetSessionCount-0x8b3ca ieframe+0x9ceeb @ 0x71ffceeb
IEInPrivateFilteringEnabled+0x34d69 SetQueryNetSessionCount-0x8b504 ieframe+0x9cdb1 @ 0x71ffcdb1
IEInPrivateFilteringEnabled+0x354dd SetQueryNetSessionCount-0x8ad90 ieframe+0x9d525 @ 0x71ffd525
IEInPrivateFilteringEnabled+0x353fc SetQueryNetSessionCount-0x8ae71 ieframe+0x9d444 @ 0x71ffd444
IEInPrivateFilteringEnabled+0x3531a SetQueryNetSessionCount-0x8af53 ieframe+0x9d362 @ 0x71ffd362
IEInPrivateFilteringEnabled+0x351a8 SetQueryNetSessionCount-0x8b0c5 ieframe+0x9d1f0 @ 0x71ffd1f0
IEInPrivateFilteringEnabled+0x350db SetQueryNetSessionCount-0x8b192 ieframe+0x9d123 @ 0x71ffd123
IELaunchURL+0x2887 IEInPrivateFilteringEnabled-0x3216 ieframe+0x64e32 @ 0x71fc4e32
IEInPrivateFilteringEnabled+0xbfef3 SetQueryNetSessionCount-0x37a ieframe+0x127f3b @ 0x72087f3b
IEInPrivateFilteringEnabled+0xbee50 SetQueryNetSessionCount-0x141d ieframe+0x126e98 @ 0x72086e98
IEInPrivateFilteringEnabled+0xbede8 SetQueryNetSessionCount-0x1485 ieframe+0x126e30 @ 0x72086e30
IEInPrivateFilteringEnabled+0xbfdc7 SetQueryNetSessionCount-0x4a6 ieframe+0x127e0f @ 0x72087e0f
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
IELaunchURL+0x28ce IEInPrivateFilteringEnabled-0x31cf ieframe+0x64e79 @ 0x71fc4e79
IELaunchURL+0x1341 IEInPrivateFilteringEnabled-0x475c ieframe+0x638ec @ 0x71fc38ec
IELaunchURL+0x259b IEInPrivateFilteringEnabled-0x3502 ieframe+0x64b46 @ 0x71fc4b46
IELaunchURL+0x29f9 IEInPrivateFilteringEnabled-0x30a4 ieframe+0x64fa4 @ 0x71fc4fa4
IELaunchURL+0x24d5 IEInPrivateFilteringEnabled-0x35c8 ieframe+0x64a80 @ 0x71fc4a80
IELaunchURL+0x2a93 IEInPrivateFilteringEnabled-0x300a ieframe+0x6503e @ 0x71fc503e
SoftwareUpdateMessageBox+0x27896 IEAssociateThreadWithTab-0x2b582 ieframe+0x1f0223 @ 0x72150223
_install+0x1708 @ 0x25a6ee5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetDC+0x52 ReleaseDC-0x130 user32+0x17316 @ 0x775a7316
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
UnregisterClassW+0x7bc LoadIconW-0xa02 user32+0x1a740 @ 0x775aa740
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c
CreateWindowExW+0x33 RegisterClassW-0x9 user32+0x18a5c @ 0x775a8a5c
_install+0x18c3 @ 0x25a70a0
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 60788812
registers.edi: 1985477926
registers.eax: 1876604162
registers.ebp: 60788852
registers.edx: 0
registers.ebx: 60789952
registers.esi: 1
registers.ecx: 1876604162
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795600.667875
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x4d4 GetServiceKeyNameA-0x87f advapi32+0x61315 @ 0x765a1315
GetProfileStringW+0xfdda EnumResourceNamesW-0x35ddb kernel32+0x4d386 @ 0x7638d386
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
IEInPrivateFilteringEnabled+0x52c8a SetQueryNetSessionCount-0x6d5e3 ieframe+0xbacd2 @ 0x7201acd2
IEInPrivateFilteringEnabled+0x52d1e SetQueryNetSessionCount-0x6d54f ieframe+0xbad66 @ 0x7201ad66
IEInPrivateFilteringEnabled+0x455fe SetQueryNetSessionCount-0x7ac6f ieframe+0xad646 @ 0x7200d646
IEInPrivateFilteringEnabled+0x4545d SetQueryNetSessionCount-0x7ae10 ieframe+0xad4a5 @ 0x7200d4a5
CreateURLMonikerEx+0x3373 FindMediaType-0x1970 urlmon+0x1ad10 @ 0x7772ad10
CreateURLMonikerEx+0x310b FindMediaType-0x1bd8 urlmon+0x1aaa8 @ 0x7772aaa8
CreateURLMonikerEx+0x2aa5 FindMediaType-0x223e urlmon+0x1a442 @ 0x7772a442
CreateURLMonikerEx+0x28d5 FindMediaType-0x240e urlmon+0x1a272 @ 0x7772a272
CreateFormatEnumerator+0x166 CoInternetParseIUri-0x75d urlmon+0x355b6 @ 0x777455b6
IEInPrivateFilteringEnabled+0x452d6 SetQueryNetSessionCount-0x7af97 ieframe+0xad31e @ 0x7200d31e
IEInPrivateFilteringEnabled+0x44bac SetQueryNetSessionCount-0x7b6c1 ieframe+0xacbf4 @ 0x7200cbf4
IEInPrivateFilteringEnabled+0x34ea3 SetQueryNetSessionCount-0x8b3ca ieframe+0x9ceeb @ 0x71ffceeb
IEInPrivateFilteringEnabled+0x34d69 SetQueryNetSessionCount-0x8b504 ieframe+0x9cdb1 @ 0x71ffcdb1
IEInPrivateFilteringEnabled+0x354dd SetQueryNetSessionCount-0x8ad90 ieframe+0x9d525 @ 0x71ffd525
IEInPrivateFilteringEnabled+0x353fc SetQueryNetSessionCount-0x8ae71 ieframe+0x9d444 @ 0x71ffd444
IEInPrivateFilteringEnabled+0x3531a SetQueryNetSessionCount-0x8af53 ieframe+0x9d362 @ 0x71ffd362
IEInPrivateFilteringEnabled+0x351a8 SetQueryNetSessionCount-0x8b0c5 ieframe+0x9d1f0 @ 0x71ffd1f0
IEInPrivateFilteringEnabled+0x350db SetQueryNetSessionCount-0x8b192 ieframe+0x9d123 @ 0x71ffd123
IELaunchURL+0x2887 IEInPrivateFilteringEnabled-0x3216 ieframe+0x64e32 @ 0x71fc4e32
IEInPrivateFilteringEnabled+0xbfef3 SetQueryNetSessionCount-0x37a ieframe+0x127f3b @ 0x72087f3b
IEInPrivateFilteringEnabled+0xbee50 SetQueryNetSessionCount-0x141d ieframe+0x126e98 @ 0x72086e98
IEInPrivateFilteringEnabled+0xbede8 SetQueryNetSessionCount-0x1485 ieframe+0x126e30 @ 0x72086e30
IEInPrivateFilteringEnabled+0xbfdc7 SetQueryNetSessionCount-0x4a6 ieframe+0x127e0f @ 0x72087e0f
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
IELaunchURL+0x28ce IEInPrivateFilteringEnabled-0x31cf ieframe+0x64e79 @ 0x71fc4e79
IELaunchURL+0x1341 IEInPrivateFilteringEnabled-0x475c ieframe+0x638ec @ 0x71fc38ec
IELaunchURL+0x259b IEInPrivateFilteringEnabled-0x3502 ieframe+0x64b46 @ 0x71fc4b46
IELaunchURL+0x29f9 IEInPrivateFilteringEnabled-0x30a4 ieframe+0x64fa4 @ 0x71fc4fa4
IELaunchURL+0x24d5 IEInPrivateFilteringEnabled-0x35c8 ieframe+0x64a80 @ 0x71fc4a80
IELaunchURL+0x2a93 IEInPrivateFilteringEnabled-0x300a ieframe+0x6503e @ 0x71fc503e
SoftwareUpdateMessageBox+0x27896 IEAssociateThreadWithTab-0x2b582 ieframe+0x1f0223 @ 0x72150223
_install+0x1708 @ 0x25a6ee5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetDC+0x52 ReleaseDC-0x130 user32+0x17316 @ 0x775a7316
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
UnregisterClassW+0x7bc LoadIconW-0xa02 user32+0x1a740 @ 0x775aa740
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c
CreateWindowExW+0x33 RegisterClassW-0x9 user32+0x18a5c @ 0x775a8a5c
_install+0x18c3 @ 0x25a70a0
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 60789416
registers.edi: 1985478544
registers.eax: 1876604162
registers.ebp: 60789456
registers.edx: 0
registers.ebx: 60790556
registers.esi: 1
registers.ecx: 1876604162
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795600.667875
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x2a5 GetServiceKeyNameA-0xaae advapi32+0x610e6 @ 0x765a10e6
RegSetKeyValueA+0x1b8 RegLoadAppKeyW-0x1d4 advapi32+0x5fa43 @ 0x7659fa43
GetProfileStringW+0xff0b EnumResourceNamesW-0x35caa kernel32+0x4d4b7 @ 0x7638d4b7
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
IEInPrivateFilteringEnabled+0x52c8a SetQueryNetSessionCount-0x6d5e3 ieframe+0xbacd2 @ 0x7201acd2
IEInPrivateFilteringEnabled+0x52d1e SetQueryNetSessionCount-0x6d54f ieframe+0xbad66 @ 0x7201ad66
IEInPrivateFilteringEnabled+0x455fe SetQueryNetSessionCount-0x7ac6f ieframe+0xad646 @ 0x7200d646
IEInPrivateFilteringEnabled+0x4545d SetQueryNetSessionCount-0x7ae10 ieframe+0xad4a5 @ 0x7200d4a5
CreateURLMonikerEx+0x3373 FindMediaType-0x1970 urlmon+0x1ad10 @ 0x7772ad10
CreateURLMonikerEx+0x310b FindMediaType-0x1bd8 urlmon+0x1aaa8 @ 0x7772aaa8
CreateURLMonikerEx+0x2aa5 FindMediaType-0x223e urlmon+0x1a442 @ 0x7772a442
CreateURLMonikerEx+0x28d5 FindMediaType-0x240e urlmon+0x1a272 @ 0x7772a272
CreateFormatEnumerator+0x166 CoInternetParseIUri-0x75d urlmon+0x355b6 @ 0x777455b6
IEInPrivateFilteringEnabled+0x452d6 SetQueryNetSessionCount-0x7af97 ieframe+0xad31e @ 0x7200d31e
IEInPrivateFilteringEnabled+0x44bac SetQueryNetSessionCount-0x7b6c1 ieframe+0xacbf4 @ 0x7200cbf4
IEInPrivateFilteringEnabled+0x34ea3 SetQueryNetSessionCount-0x8b3ca ieframe+0x9ceeb @ 0x71ffceeb
IEInPrivateFilteringEnabled+0x34d69 SetQueryNetSessionCount-0x8b504 ieframe+0x9cdb1 @ 0x71ffcdb1
IEInPrivateFilteringEnabled+0x354dd SetQueryNetSessionCount-0x8ad90 ieframe+0x9d525 @ 0x71ffd525
IEInPrivateFilteringEnabled+0x353fc SetQueryNetSessionCount-0x8ae71 ieframe+0x9d444 @ 0x71ffd444
IEInPrivateFilteringEnabled+0x3531a SetQueryNetSessionCount-0x8af53 ieframe+0x9d362 @ 0x71ffd362
IEInPrivateFilteringEnabled+0x351a8 SetQueryNetSessionCount-0x8b0c5 ieframe+0x9d1f0 @ 0x71ffd1f0
IEInPrivateFilteringEnabled+0x350db SetQueryNetSessionCount-0x8b192 ieframe+0x9d123 @ 0x71ffd123
IELaunchURL+0x2887 IEInPrivateFilteringEnabled-0x3216 ieframe+0x64e32 @ 0x71fc4e32
IEInPrivateFilteringEnabled+0xbfef3 SetQueryNetSessionCount-0x37a ieframe+0x127f3b @ 0x72087f3b
IEInPrivateFilteringEnabled+0xbee50 SetQueryNetSessionCount-0x141d ieframe+0x126e98 @ 0x72086e98
IEInPrivateFilteringEnabled+0xbede8 SetQueryNetSessionCount-0x1485 ieframe+0x126e30 @ 0x72086e30
IEInPrivateFilteringEnabled+0xbfdc7 SetQueryNetSessionCount-0x4a6 ieframe+0x127e0f @ 0x72087e0f
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
IELaunchURL+0x28ce IEInPrivateFilteringEnabled-0x31cf ieframe+0x64e79 @ 0x71fc4e79
IELaunchURL+0x1341 IEInPrivateFilteringEnabled-0x475c ieframe+0x638ec @ 0x71fc38ec
IELaunchURL+0x259b IEInPrivateFilteringEnabled-0x3502 ieframe+0x64b46 @ 0x71fc4b46
IELaunchURL+0x29f9 IEInPrivateFilteringEnabled-0x30a4 ieframe+0x64fa4 @ 0x71fc4fa4
IELaunchURL+0x24d5 IEInPrivateFilteringEnabled-0x35c8 ieframe+0x64a80 @ 0x71fc4a80
IELaunchURL+0x2a93 IEInPrivateFilteringEnabled-0x300a ieframe+0x6503e @ 0x71fc503e
SoftwareUpdateMessageBox+0x27896 IEAssociateThreadWithTab-0x2b582 ieframe+0x1f0223 @ 0x72150223
_install+0x1708 @ 0x25a6ee5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetDC+0x52 ReleaseDC-0x130 user32+0x17316 @ 0x775a7316
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
UnregisterClassW+0x7bc LoadIconW-0xa02 user32+0x1a740 @ 0x775aa740
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c
CreateWindowExW+0x33 RegisterClassW-0x9 user32+0x18a5c @ 0x775a8a5c
_install+0x18c3 @ 0x25a70a0
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 60789340
registers.edi: 1985477542
registers.eax: 1876604162
registers.ebp: 60789380
registers.edx: 0
registers.ebx: 60790480
registers.esi: 1
registers.ecx: 1876604162
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795600.683875
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x4d4 GetServiceKeyNameA-0x87f advapi32+0x61315 @ 0x765a1315
GetProfileStringW+0xfdda EnumResourceNamesW-0x35ddb kernel32+0x4d386 @ 0x7638d386
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
IEInPrivateFilteringEnabled+0x52c8a SetQueryNetSessionCount-0x6d5e3 ieframe+0xbacd2 @ 0x7201acd2
IEInPrivateFilteringEnabled+0x52d1e SetQueryNetSessionCount-0x6d54f ieframe+0xbad66 @ 0x7201ad66
IEInPrivateFilteringEnabled+0x455fe SetQueryNetSessionCount-0x7ac6f ieframe+0xad646 @ 0x7200d646
IEInPrivateFilteringEnabled+0x4545d SetQueryNetSessionCount-0x7ae10 ieframe+0xad4a5 @ 0x7200d4a5
CreateURLMonikerEx+0x3373 FindMediaType-0x1970 urlmon+0x1ad10 @ 0x7772ad10
CreateURLMonikerEx+0x310b FindMediaType-0x1bd8 urlmon+0x1aaa8 @ 0x7772aaa8
CreateURLMonikerEx+0x2aa5 FindMediaType-0x223e urlmon+0x1a442 @ 0x7772a442
CreateURLMonikerEx+0x28d5 FindMediaType-0x240e urlmon+0x1a272 @ 0x7772a272
CreateFormatEnumerator+0x166 CoInternetParseIUri-0x75d urlmon+0x355b6 @ 0x777455b6
IEInPrivateFilteringEnabled+0x452d6 SetQueryNetSessionCount-0x7af97 ieframe+0xad31e @ 0x7200d31e
IEInPrivateFilteringEnabled+0x44bac SetQueryNetSessionCount-0x7b6c1 ieframe+0xacbf4 @ 0x7200cbf4
IEInPrivateFilteringEnabled+0x34ea3 SetQueryNetSessionCount-0x8b3ca ieframe+0x9ceeb @ 0x71ffceeb
IEInPrivateFilteringEnabled+0x34d69 SetQueryNetSessionCount-0x8b504 ieframe+0x9cdb1 @ 0x71ffcdb1
IEInPrivateFilteringEnabled+0x354dd SetQueryNetSessionCount-0x8ad90 ieframe+0x9d525 @ 0x71ffd525
IEInPrivateFilteringEnabled+0x353fc SetQueryNetSessionCount-0x8ae71 ieframe+0x9d444 @ 0x71ffd444
IEInPrivateFilteringEnabled+0x3531a SetQueryNetSessionCount-0x8af53 ieframe+0x9d362 @ 0x71ffd362
IEInPrivateFilteringEnabled+0x351a8 SetQueryNetSessionCount-0x8b0c5 ieframe+0x9d1f0 @ 0x71ffd1f0
IEInPrivateFilteringEnabled+0x350db SetQueryNetSessionCount-0x8b192 ieframe+0x9d123 @ 0x71ffd123
IELaunchURL+0x2887 IEInPrivateFilteringEnabled-0x3216 ieframe+0x64e32 @ 0x71fc4e32
IEInPrivateFilteringEnabled+0xbfef3 SetQueryNetSessionCount-0x37a ieframe+0x127f3b @ 0x72087f3b
IEInPrivateFilteringEnabled+0xbee50 SetQueryNetSessionCount-0x141d ieframe+0x126e98 @ 0x72086e98
IEInPrivateFilteringEnabled+0xbede8 SetQueryNetSessionCount-0x1485 ieframe+0x126e30 @ 0x72086e30
IEInPrivateFilteringEnabled+0xbfdc7 SetQueryNetSessionCount-0x4a6 ieframe+0x127e0f @ 0x72087e0f
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
IELaunchURL+0x28ce IEInPrivateFilteringEnabled-0x31cf ieframe+0x64e79 @ 0x71fc4e79
IELaunchURL+0x1341 IEInPrivateFilteringEnabled-0x475c ieframe+0x638ec @ 0x71fc38ec
IELaunchURL+0x259b IEInPrivateFilteringEnabled-0x3502 ieframe+0x64b46 @ 0x71fc4b46
IELaunchURL+0x29f9 IEInPrivateFilteringEnabled-0x30a4 ieframe+0x64fa4 @ 0x71fc4fa4
IELaunchURL+0x24d5 IEInPrivateFilteringEnabled-0x35c8 ieframe+0x64a80 @ 0x71fc4a80
IELaunchURL+0x2a93 IEInPrivateFilteringEnabled-0x300a ieframe+0x6503e @ 0x71fc503e
SoftwareUpdateMessageBox+0x27896 IEAssociateThreadWithTab-0x2b582 ieframe+0x1f0223 @ 0x72150223
_install+0x1708 @ 0x25a6ee5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetDC+0x52 ReleaseDC-0x130 user32+0x17316 @ 0x775a7316
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
UnregisterClassW+0x7bc LoadIconW-0xa02 user32+0x1a740 @ 0x775aa740
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c
CreateWindowExW+0x33 RegisterClassW-0x9 user32+0x18a5c @ 0x775a8a5c
_install+0x18c3 @ 0x25a70a0
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 60789416
registers.edi: 1985478544
registers.eax: 1876604162
registers.ebp: 60789456
registers.edx: 0
registers.ebx: 60790556
registers.esi: 1
registers.ecx: 1876604162
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795600.683875
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x2a5 GetServiceKeyNameA-0xaae advapi32+0x610e6 @ 0x765a10e6
RegSetKeyValueA+0x1b8 RegLoadAppKeyW-0x1d4 advapi32+0x5fa43 @ 0x7659fa43
GetProfileStringW+0xff0b EnumResourceNamesW-0x35caa kernel32+0x4d4b7 @ 0x7638d4b7
_install+0xa493 @ 0x25afc70
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
IEInPrivateFilteringEnabled+0x52c8a SetQueryNetSessionCount-0x6d5e3 ieframe+0xbacd2 @ 0x7201acd2
IEInPrivateFilteringEnabled+0x52d1e SetQueryNetSessionCount-0x6d54f ieframe+0xbad66 @ 0x7201ad66
IEInPrivateFilteringEnabled+0x455fe SetQueryNetSessionCount-0x7ac6f ieframe+0xad646 @ 0x7200d646
IEInPrivateFilteringEnabled+0x4545d SetQueryNetSessionCount-0x7ae10 ieframe+0xad4a5 @ 0x7200d4a5
CreateURLMonikerEx+0x3373 FindMediaType-0x1970 urlmon+0x1ad10 @ 0x7772ad10
CreateURLMonikerEx+0x310b FindMediaType-0x1bd8 urlmon+0x1aaa8 @ 0x7772aaa8
CreateURLMonikerEx+0x2aa5 FindMediaType-0x223e urlmon+0x1a442 @ 0x7772a442
CreateURLMonikerEx+0x28d5 FindMediaType-0x240e urlmon+0x1a272 @ 0x7772a272
CreateFormatEnumerator+0x166 CoInternetParseIUri-0x75d urlmon+0x355b6 @ 0x777455b6
IEInPrivateFilteringEnabled+0x452d6 SetQueryNetSessionCount-0x7af97 ieframe+0xad31e @ 0x7200d31e
IEInPrivateFilteringEnabled+0x44bac SetQueryNetSessionCount-0x7b6c1 ieframe+0xacbf4 @ 0x7200cbf4
IEInPrivateFilteringEnabled+0x34ea3 SetQueryNetSessionCount-0x8b3ca ieframe+0x9ceeb @ 0x71ffceeb
IEInPrivateFilteringEnabled+0x34d69 SetQueryNetSessionCount-0x8b504 ieframe+0x9cdb1 @ 0x71ffcdb1
IEInPrivateFilteringEnabled+0x354dd SetQueryNetSessionCount-0x8ad90 ieframe+0x9d525 @ 0x71ffd525
IEInPrivateFilteringEnabled+0x353fc SetQueryNetSessionCount-0x8ae71 ieframe+0x9d444 @ 0x71ffd444
IEInPrivateFilteringEnabled+0x3531a SetQueryNetSessionCount-0x8af53 ieframe+0x9d362 @ 0x71ffd362
IEInPrivateFilteringEnabled+0x351a8 SetQueryNetSessionCount-0x8b0c5 ieframe+0x9d1f0 @ 0x71ffd1f0
IEInPrivateFilteringEnabled+0x350db SetQueryNetSessionCount-0x8b192 ieframe+0x9d123 @ 0x71ffd123
IELaunchURL+0x2887 IEInPrivateFilteringEnabled-0x3216 ieframe+0x64e32 @ 0x71fc4e32
IEInPrivateFilteringEnabled+0xbfef3 SetQueryNetSessionCount-0x37a ieframe+0x127f3b @ 0x72087f3b
IEInPrivateFilteringEnabled+0xbee50 SetQueryNetSessionCount-0x141d ieframe+0x126e98 @ 0x72086e98
IEInPrivateFilteringEnabled+0xbede8 SetQueryNetSessionCount-0x1485 ieframe+0x126e30 @ 0x72086e30
IEInPrivateFilteringEnabled+0xbfdc7 SetQueryNetSessionCount-0x4a6 ieframe+0x127e0f @ 0x72087e0f
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
IELaunchURL+0x28ce IEInPrivateFilteringEnabled-0x31cf ieframe+0x64e79 @ 0x71fc4e79
IELaunchURL+0x1341 IEInPrivateFilteringEnabled-0x475c ieframe+0x638ec @ 0x71fc38ec
IELaunchURL+0x259b IEInPrivateFilteringEnabled-0x3502 ieframe+0x64b46 @ 0x71fc4b46
IELaunchURL+0x29f9 IEInPrivateFilteringEnabled-0x30a4 ieframe+0x64fa4 @ 0x71fc4fa4
IELaunchURL+0x24d5 IEInPrivateFilteringEnabled-0x35c8 ieframe+0x64a80 @ 0x71fc4a80
IELaunchURL+0x2a93 IEInPrivateFilteringEnabled-0x300a ieframe+0x6503e @ 0x71fc503e
SoftwareUpdateMessageBox+0x27896 IEAssociateThreadWithTab-0x2b582 ieframe+0x1f0223 @ 0x72150223
_install+0x1708 @ 0x25a6ee5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetDC+0x52 ReleaseDC-0x130 user32+0x17316 @ 0x775a7316
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
UnregisterClassW+0x7bc LoadIconW-0xa02 user32+0x1a740 @ 0x775aa740
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c
CreateWindowExW+0x33 RegisterClassW-0x9 user32+0x18a5c @ 0x775a8a5c
_install+0x18c3 @ 0x25a70a0
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 60789340
registers.edi: 1985477542
registers.eax: 1876604162
registers.ebp: 60789380
registers.edx: 0
registers.ebx: 60790480
registers.esi: 1
registers.ecx: 1876604162
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619795600.839875
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x765a100f
GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x7638c8e3
_install+0xa303 @ 0x25afae0
GetPortFromUrlScheme+0x53fe DllGetClassObject-0x1f2 urlmon+0xbc8c @ 0x7771bc8c
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
IEInPrivateFilteringEnabled+0x52c8a SetQueryNetSessionCount-0x6d5e3 ieframe+0xbacd2 @ 0x7201acd2
IEInPrivateFilteringEnabled+0x52d1e SetQueryNetSessionCount-0x6d54f ieframe+0xbad66 @ 0x7201ad66
IEInPrivateFilteringEnabled+0x455fe SetQueryNetSessionCount-0x7ac6f ieframe+0xad646 @ 0x7200d646
IEInPrivateFilteringEnabled+0x4545d SetQueryNetSessionCount-0x7ae10 ieframe+0xad4a5 @ 0x7200d4a5
CreateURLMonikerEx+0x3373 FindMediaType-0x1970 urlmon+0x1ad10 @ 0x7772ad10
CreateURLMonikerEx+0x310b FindMediaType-0x1bd8 urlmon+0x1aaa8 @ 0x7772aaa8
CreateURLMonikerEx+0x2aa5 FindMediaType-0x223e urlmon+0x1a442 @ 0x7772a442
CreateURLMonikerEx+0x28d5 FindMediaType-0x240e urlmon+0x1a272 @ 0x7772a272
CreateFormatEnumerator+0x166 CoInternetParseIUri-0x75d urlmon+0x355b6 @ 0x777455b6
IEInPrivateFilteringEnabled+0x452d6 SetQueryNetSessionCount-0x7af97 ieframe+0xad31e @ 0x7200d31e
IEInPrivateFilteringEnabled+0x44bac SetQueryNetSessionCount-0x7b6c1 ieframe+0xacbf4 @ 0x7200cbf4
IEInPrivateFilteringEnabled+0x34ea3 SetQueryNetSessionCount-0x8b3ca ieframe+0x9ceeb @ 0x71ffceeb
IEInPrivateFilteringEnabled+0x34d69 SetQueryNetSessionCount-0x8b504 ieframe+0x9cdb1 @ 0x71ffcdb1
IEInPrivateFilteringEnabled+0x354dd SetQueryNetSessionCount-0x8ad90 ieframe+0x9d525 @ 0x71ffd525
IEInPrivateFilteringEnabled+0x353fc SetQueryNetSessionCount-0x8ae71 ieframe+0x9d444 @ 0x71ffd444
IEInPrivateFilteringEnabled+0x3531a SetQueryNetSessionCount-0x8af53 ieframe+0x9d362 @ 0x71ffd362
IEInPrivateFilteringEnabled+0x351a8 SetQueryNetSessionCount-0x8b0c5 ieframe+0x9d1f0 @ 0x71ffd1f0
IEInPrivateFilteringEnabled+0x350db SetQueryNetSessionCount-0x8b192 ieframe+0x9d123 @ 0x71ffd123
IELaunchURL+0x2887 IEInPrivateFilteringEnabled-0x3216 ieframe+0x64e32 @ 0x71fc4e32
IEInPrivateFilteringEnabled+0xbfef3 SetQueryNetSessionCount-0x37a ieframe+0x127f3b @ 0x72087f3b
IEInPrivateFilteringEnabled+0xbee50 SetQueryNetSessionCount-0x141d ieframe+0x126e98 @ 0x72086e98
IEInPrivateFilteringEnabled+0xbede8 SetQueryNetSessionCount-0x1485 ieframe+0x126e30 @ 0x72086e30
IEInPrivateFilteringEnabled+0xbfdc7 SetQueryNetSessionCount-0x4a6 ieframe+0x127e0f @ 0x72087e0f
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
IELaunchURL+0x28ce IEInPrivateFilteringEnabled-0x31cf ieframe+0x64e79 @ 0x71fc4e79
IELaunchURL+0x1341 IEInPrivateFilteringEnabled-0x475c ieframe+0x638ec @ 0x71fc38ec
IELaunchURL+0x259b IEInPrivateFilteringEnabled-0x3502 ieframe+0x64b46 @ 0x71fc4b46
IELaunchURL+0x29f9 IEInPrivateFilteringEnabled-0x30a4 ieframe+0x64fa4 @ 0x71fc4fa4
IELaunchURL+0x24d5 IEInPrivateFilteringEnabled-0x35c8 ieframe+0x64a80 @ 0x71fc4a80
IELaunchURL+0x2a93 IEInPrivateFilteringEnabled-0x300a ieframe+0x6503e @ 0x71fc503e
SoftwareUpdateMessageBox+0x27896 IEAssociateThreadWithTab-0x2b582 ieframe+0x1f0223 @ 0x72150223
_install+0x1708 @ 0x25a6ee5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetDC+0x52 ReleaseDC-0x130 user32+0x17316 @ 0x775a7316
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
UnregisterClassW+0x7bc LoadIconW-0xa02 user32+0x1a740 @ 0x775aa740
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c
CreateWindowExW+0x33 RegisterClassW-0x9 user32+0x18a5c @ 0x775a8a5c
_install+0x18c3 @ 0x25a70a0
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 60789728
registers.edi: 1985477242
registers.eax: 1876604162
registers.ebp: 60789768
registers.edx: 0
registers.ebx: 60790868
registers.esi: 1
registers.ecx: 1876604162
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 108 个事件)
Time & API Arguments Status Return Repeated
1619795579.902125
NtAllocateVirtualMemory
process_identifier: 624
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00440000
success 0 0
1619795579.902125
NtAllocateVirtualMemory
process_identifier: 624
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00470000
success 0 0
1619795579.917125
NtProtectVirtualMemory
process_identifier: 624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 184320
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619795579.948125
NtAllocateVirtualMemory
process_identifier: 624
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02610000
success 0 0
1619795641.105374
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004120000
success 0 0
1619795595.089125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619795595.089125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619795595.120125
NtProtectVirtualMemory
process_identifier: 944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 184320
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619795595.167125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02590000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027f0000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02e00000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02e10000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02dd0000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02de0000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02df0000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ef0000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f00000
success 0 0
1619795595.214125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f10000
success 0 0
1619795595.230125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f20000
success 0 0
1619795595.230125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f30000
success 0 0
1619795595.230125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f40000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f50000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f60000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f70000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f80000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02f90000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02fa0000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02fb0000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02fc0000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02fd0000
success 0 0
1619795595.245125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02fe0000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ec0000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ed0000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ee0000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ff0000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03000000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03010000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03020000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03030000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03040000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03050000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03060000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03070000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03080000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03090000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030a0000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030b0000
success 0 0
1619795595.261125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030c0000
success 0 0
1619795595.277125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02e20000
success 0 0
1619795595.277125
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02e30000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6d031be4.bat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619795593.980125
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x00513ac0
display_name: Security Center Server - 3397899717
error_control: 1
service_name: SecurityCenterServer3397899717
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe"
filepath_r: "C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe"
service_manager_handle: 0x0051f398
desired_access: 983551
service_type: 16
password:
success 5323456 0
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\tmp6d031be4.bat"
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a6232e5060608d255adb79681bba40cc.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619795605.761875
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)
entropy 7.911073492629651 section {'size_of_data': '0x00026600', 'virtual_address': '0x00001000', 'entropy': 7.911073492629651, 'name': '.text', 'virtual_size': '0x000265e0'} description A section with a high entropy has been found
entropy 7.850046695792571 section {'size_of_data': '0x00008600', 'virtual_address': '0x0002a000', 'entropy': 7.850046695792571, 'name': '.rdata', 'virtual_size': '0x000085bc'} description A section with a high entropy has been found
entropy 7.79033067751646 section {'size_of_data': '0x00004000', 'virtual_address': '0x00033000', 'entropy': 7.79033067751646, 'name': '.data', 'virtual_size': '0x00003e60'} description A section with a high entropy has been found
entropy 0.9575471698113207 description Overall entropy of this PE file is high
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619795657.245125
InternetOpenA
proxy_bypass:
access_type: 1
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619795606.261875
NtTerminateProcess
status_code: 0x00000000
process_identifier: 2944
process_handle: 0x000004fc
failed 0 0
1619795606.261875
NtTerminateProcess
status_code: 0x00000000
process_identifier: 2944
process_handle: 0x000004fc
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (50 out of 963 个事件)
service_name SecurityCenterServer3397899717 service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe"
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ubziosunepl reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Zizure\uqetos.exe
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1619795604.964875
RegSetValueExA
key_handle: 0x000003d8
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619795608.323875
RegSetValueExA
key_handle: 0x000004e4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619795608.323875
RegSetValueExA
key_handle: 0x000004e4
value: 0µ¡=×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619795608.323875
RegSetValueExA
key_handle: 0x000004e4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619795608.323875
RegSetValueExW
key_handle: 0x000004e4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619795608.323875
RegSetValueExA
key_handle: 0x0000052c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619795608.323875
RegSetValueExA
key_handle: 0x0000052c
value: 0µ¡=×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619795608.323875
RegSetValueExA
key_handle: 0x0000052c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619795608.323875
RegSetValueExW
key_handle: 0x000004e0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 944 resumed a thread in remote process 200
Time & API Arguments Status Return Repeated
1619795595.745125
NtResumeThread
thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 200
success 0 0
Creates and runs a batch file to remove the original binary (1 个事件)
file a911398a9fffeace_tmp6d031be4.bat
Zeus P2P (Banking Trojan) (21 个事件)
mutex Local\{4E4249DC-F657-18E6-CECF-1311648BA253}
mutex Global\{F45B6C97-D31C-A2FF-CECF-1311648BA253}
mutex Global\{1AD6C053-7FD8-4C72-FCA7-A39156E312D3}
mutex Global\{04029AF9-2572-52A6-CECF-1311648BA253}
mutex Local\{65E42CEE-9365-3340-CECF-1311648BA253}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 17431, 'time': 29.760611057281494, 'dport': 5355, 'sport': 49713}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 17759, 'time': 22.06687307357788, 'dport': 5355, 'sport': 51378}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 18087, 'time': 72.04318308830261, 'dport': 5355, 'sport': 53210}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 18407, 'time': 24.619874954223633, 'dport': 5355, 'sport': 53237}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 18735, 'time': 10.337968111038208, 'dport': 5355, 'sport': 55368}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 19055, 'time': 4.126904010772705, 'dport': 5355, 'sport': 56804}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 19391, 'time': 19.479387998580933, 'dport': 5355, 'sport': 58367}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 19719, 'time': 48.41240191459656, 'dport': 5355, 'sport': 61680}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 20039, 'time': 6.122947931289673, 'dport': 5355, 'sport': 62191}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 20375, 'time': 27.198478937149048, 'dport': 5355, 'sport': 62318}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 20703, 'time': 16.90907096862793, 'dport': 5355, 'sport': 65004}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 21031, 'time': 4.60581111907959, 'dport': 1900, 'sport': 1900}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 40441, 'time': 22.65121603012085, 'dport': 3702, 'sport': 51379}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 43297, 'time': 10.560724973678589, 'dport': 3702, 'sport': 55369}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 46025, 'time': 6.541311025619507, 'dport': 1900, 'sport': 56807}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 53211, 'time': 4.136618137359619, 'dport': 3702, 'sport': 58707}
Generates some ICMP traffic
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.720335
FireEye Generic.mg.a6232e5060608d25
ALYac Gen:Variant.Razy.720335
Cylance Unsafe
Zillya Trojan.Yakes.Win32.15352
AegisLab Trojan.Win32.Yakes.4!c
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Gen:Variant.Razy.720335
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZexaF.34670.ny1@a0Am4BeS
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.AZDE
APEX Malicious
Avast Win32:Downloader-TAL [Trj]
Kaspersky Trojan.Win32.Yakes.cpbi
NANO-Antivirus Trojan.Win32.Yakes.cuwhee
Ad-Aware Gen:Variant.Razy.720335
Emsisoft Gen:Variant.Razy.720335 (B)
Comodo TrojWare.Win32.Kryptik.AZRE@4xkxxy
F-Secure Heuristic.HEUR/AGEN.1114196
VIPRE Trojan.Win32.Encpk.abf (v)
TrendMicro TROJ_YAKES.AEM
McAfee-GW-Edition BehavesLike.Win32.Rootkit.dc
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Yakes
GData Gen:Variant.Razy.720335
Webroot Trojan.Dropper.Gen
Avira HEUR/AGEN.1114196
MAX malware (ai score=84)
Antiy-AVL Trojan/Win32.Yakes
Kingsoft Win32.Troj.Yakes.cp.(kcloud)
Arcabit Trojan.Razy.DAFDCF
SUPERAntiSpyware Trojan.Agent/Gen-IRCBot
AhnLab-V3 Trojan/Win32.Tepfer.R64076
ZoneAlarm Trojan.Win32.Yakes.cpbi
Microsoft PWS:Win32/Zbot
Cynet Malicious (score: 100)
Acronis suspicious
McAfee Agent-FCC!A6232E506060
TACHYON Trojan/W32.Yakes.219247
Malwarebytes Backdoor.Agent.RND
Panda Generic Malware
TrendMicro-HouseCall TROJ_YAKES.AEM
Rising Malware.Undefined!8.C (TFE:1:5hQhJn1KTlU)
Yandex Trojan.Yakes!hUy1iZkBPRw
SentinelOne Static AI - Malicious PE
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2011-01-18 08:43:19

Imports

Library KERNEL32.dll:
0x42c128 GetNumberFormatA
0x42c12c GetVolumePathNameA
0x42c134 GetStringTypeW
0x42c138 LZOpenFileW
0x42c140 EnumSystemLocalesW
0x42c148 Module32First
0x42c14c OpenEventA
0x42c15c GetComputerNameExA
0x42c160 OpenEventW
0x42c164 GetTapePosition
0x42c16c VirtualProtectEx
0x42c170 CreateEventA
0x42c180 GetCPInfo
0x42c184 EnumUILanguagesW
0x42c188 _lwrite
0x42c18c HeapDestroy
0x42c190 LoadLibraryA
0x42c198 AddAtomW
0x42c19c WriteFile
0x42c1a4 DisconnectNamedPipe
0x42c1a8 UpdateResourceW
0x42c1b0 InitializeSListHead
0x42c1b8 GetGeoInfoW
Library WINTRUST.dll:
0x42c1d0 IsCatalogFile
0x42c1dc TrustOpenStores
0x42c1e0 WTHelperGetFileHash
0x42c1f4 DllUnregisterServer
0x42c204 FindCertsByIssuer
0x42c208 CryptCATCDFClose
0x42c210 WintrustAddActionID
0x42c214 WTHelperGetFileName
Library COMCTL32.dll:
0x42c234 DrawStatusText
0x42c238 DrawInsert
0x42c23c CreateStatusWindow
0x42c240 MakeDragList
0x42c244 ImageList_SetFilter
0x42c254 ImageList_Replace
0x42c258 DrawStatusTextA
0x42c260 ImageList_LoadImage
Library UFAT.dll:
0x42c278 ??0ROOTDIR@@QAE@XZ
Library NTDLL.dll:
0x42c290 RtlAreBitsClear
0x42c29c RtlGetUserInfoHeap
0x42c2a4 NtSetInformationKey
0x42c2ac wcslen
0x42c2b0 NtRestoreKey
0x42c2b4 iswxdigit
0x42c2b8 RtlAddCompoundAce
0x42c2c0 _snwprintf
0x42c2c4 RtlSubAuthoritySid
0x42c2d0 ZwRequestPort
0x42c2d4 NtDeleteKey
0x42c2d8 wcscspn
0x42c2dc strpbrk
0x42c2e4 RtlReAllocateHeap
0x42c2ec NtGetContextThread
0x42c300 ZwLoadKey
Library OLE32.dll:
0x42c30c OleRegGetUserType
0x42c310 WriteClassStg
0x42c31c CoGetCurrentProcess
0x42c324 MkParseDisplayName
0x42c328 OleDuplicateData
0x42c32c HWND_UserFree
0x42c330 HPALETTE_UserFree
Library VSSAPI.dll:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.