Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 14, 2023, 5:02 p.m.	May 14, 2023, 5:07 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`72361b9ac961ae2ec3e94022f1ccb0a6`
SHA256	`9f11fafedd2431c67115fc8b1eea3acd087802f5a3770a0a57906231726cae89`
CRC32	`953FB7E3`
ssdeep	`24576:5ygV7gU38KOObckOMCYOMSNdA3kLfycOBVh1YWNmo:sgiUlOUckOMCBiUTyvY`
PDB Path	wextract.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library CAB_file_format - CAB archive file PE_Header_Zero - PE File Signature IsPE32 - (no description) Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

lega.exe "C:\Users\test22\AppData\Local\Temp\lega.exe"
2552
- z2427314.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\z2427314.exe
  2604
  - z4621129.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\z4621129.exe
    2680
    - o4121760.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\o4121760.exe
      2736
    - p7935157.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\p7935157.exe
      2892
  - r4381038.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\r4381038.exe
    2964
    - r4381038.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\r4381038.exe
      3032
- s9868492.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\s9868492.exe
  1404

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.161.248.75	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 14, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (12 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:02 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (23 events)

Time & API	Arguments	Status	Return
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067aca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067aca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067aca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067aca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ace8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ace8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067aea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2023, 5:02 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (38 events)

Time & API	Arguments	Status
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: o4121760+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 12	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 343	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 311	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 279	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 247	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4370352 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 215	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4374448 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 183	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4378544 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 151	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4382640 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 119	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4386736 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 87	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4390832 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 55	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: o4121760+0xf054 @ 0x40f054 o4121760+0xf0a0 @ 0x40f0a0 o4121760+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: o4121760+0xefff exception.address: 0x40efff exception.module: o4121760.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4394928 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 23 registers.ebx: 0 registers.esi: 36514632 registers.ecx: 23	1
__exception__ May 14, 2023, 5:02 p.m.	stacktrace: 0x5874cc 0x5873ee 0x582505 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5875c0 registers.esp: 3402328 registers.edi: 3402380 registers.eax: 0 registers.ebp: 3402392 registers.edx: 6526856 registers.ebx: 3403276 registers.esi: 46561108 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb1cae 0x5cb1b6f 0x5cb1a6d 0x5cb06ca 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401172 registers.edi: 3401396 registers.eax: 0 registers.ebp: 3401408 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 47289628 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb20e3 0x5cb1b6f 0x5cb1a6d 0x5cb06ca 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401384 registers.edi: 3401672 registers.eax: 0 registers.ebp: 3401392 registers.edx: 0 registers.ebx: 3403276 registers.esi: 47289628 registers.ecx: 48539004	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb1cae 0x5cb1b6f 0x5cb1a85 0x5cb06ca 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401172 registers.edi: 3401396 registers.eax: 0 registers.ebp: 3401408 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 47289628 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb20e3 0x5cb1b6f 0x5cb1a85 0x5cb06ca 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401384 registers.edi: 3401672 registers.eax: 0 registers.ebp: 3401392 registers.edx: 0 registers.ebx: 3403276 registers.esi: 47289628 registers.ecx: 46278084	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb1cae 0x5cb1b6f 0x5cb1a85 0x5cb06ca 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401172 registers.edi: 3401396 registers.eax: 0 registers.ebp: 3401408 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46263764 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb20e3 0x5cb1b6f 0x5cb1a85 0x5cb06ca 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401384 registers.edi: 3401672 registers.eax: 0 registers.ebp: 3401392 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46263764 registers.ecx: 46485452	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb6284 0x5cb6130 0x5cb1a6d 0x5cb0968 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401176 registers.edi: 3401400 registers.eax: 0 registers.ebp: 3401412 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb666f 0x5cb6130 0x5cb1a6d 0x5cb0968 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401388 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401396 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 47919856	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb6284 0x5cb6130 0x5cb1a85 0x5cb0968 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401176 registers.edi: 3401400 registers.eax: 0 registers.ebp: 3401412 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb666f 0x5cb6130 0x5cb1a85 0x5cb0968 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401388 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401396 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 49268776	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb6284 0x5cb6130 0x5cb1a85 0x5cb0968 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401176 registers.edi: 3401400 registers.eax: 0 registers.ebp: 3401412 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb666f 0x5cb6130 0x5cb1a85 0x5cb0968 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401388 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401396 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 50617696	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb6963 0x5cb67e8 0x5cb1a6d 0x5cb0a67 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401188 registers.edi: 3401412 registers.eax: 0 registers.ebp: 3401424 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb6d03 0x5cb67e8 0x5cb1a6d 0x5cb0a67 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401400 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401408 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 47710984	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb6963 0x5cb67e8 0x5cb1a85 0x5cb0a67 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401188 registers.edi: 3401412 registers.eax: 0 registers.ebp: 3401424 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb6d03 0x5cb67e8 0x5cb1a85 0x5cb0a67 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401400 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401408 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 47434504	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb6963 0x5cb67e8 0x5cb1a85 0x5cb0a67 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401188 registers.edi: 3401412 registers.eax: 0 registers.ebp: 3401424 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb6d03 0x5cb67e8 0x5cb1a85 0x5cb0a67 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401400 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401408 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 49000304	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb7093 0x5cb6f60 0x5cb1a6d 0x5cb0b54 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401272 registers.edi: 3401496 registers.eax: 0 registers.ebp: 3401508 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb72b5 0x5cb6f60 0x5cb1a6d 0x5cb0b54 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401484 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401492 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 47791704	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb7093 0x5cb6f60 0x5cb1a85 0x5cb0b54 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401272 registers.edi: 3401496 registers.eax: 0 registers.ebp: 3401508 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb72b5 0x5cb6f60 0x5cb1a85 0x5cb0b54 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401484 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401492 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 47226244	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb7093 0x5cb6f60 0x5cb1a85 0x5cb0b54 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 f0 35 d2 00 89 85 4c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb25b6 registers.esp: 3401272 registers.edi: 3401496 registers.eax: 0 registers.ebp: 3401508 registers.edx: 13776000 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 0	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb72b5 0x5cb6f60 0x5cb1a85 0x5cb0b54 0x58f326 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401484 registers.edi: 3401700 registers.eax: 0 registers.ebp: 3401492 registers.edx: 0 registers.ebx: 3403276 registers.esi: 46248012 registers.ecx: 46540556	1
__exception__ May 14, 2023, 5:03 p.m.	stacktrace: 0x5cb5e00 0x5cb81e3 0x5cb7a3a 0x58f354 0x587cbf 0x5825cd 0x5820de 0x5805c8 0x580094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cb5e43 registers.esp: 3401860 registers.edi: 3402076 registers.eax: 0 registers.ebp: 3401868 registers.edx: 0 registers.ebx: 3403276 registers.esi: 47064508 registers.ecx: 47071484	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 181 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72df1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72de2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726bb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73271000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0229b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02297000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715ea000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02295000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7325f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02286000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0228a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02287000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ced000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7266b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 2892 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW May 14, 2023, 5:02 p.m.	number_of_free_clusters: 3252778 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 14, 2023, 5:02 p.m.	number_of_free_clusters: 3252778 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 14, 2023, 5:02 p.m.	number_of_free_clusters: 3252361 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 14, 2023, 5:02 p.m.	number_of_free_clusters: 3252361 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 14, 2023, 5:02 p.m.	number_of_free_clusters: 3252057 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 14, 2023, 5:02 p.m.	number_of_free_clusters: 3252057 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\z4621129.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\r4381038.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\p7935157.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\s9868492.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\z2427314.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\o4121760.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\s9868492.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\z2427314.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00116000', u'virtual_address': u'0x0000c000', u'entropy': 7.965470158304455, u'name': u'.rsrc', u'virtual_size': u'0x00116000'}

entropy

7.9654701583

description

A section with a high entropy has been found

entropy

0.971603320227

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 14, 2023, 5:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 5:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 5:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (11 events)

description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002d8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: AddressBook base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: Connection Manager base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: DirectDrawEx base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: EditPlus base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: ENTERPRISE base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: Fontcore base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: Google Chrome base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: IE40 base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: IE4Data base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: IE5BAKEX base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: IEData base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: MobileOptionPack base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: SchedulingAgent base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: WIC base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW May 14, 2023, 5:03 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000002d8 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

185.161.248.75

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 3032 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1	0	0

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService May 14, 2023, 5:02 p.m.	service_handle: 0x0053bd18 service_name: WinDefend control_code: 1		0	0
ControlService May 14, 2023, 5:02 p.m.	service_handle: 0x0053c088 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW May 14, 2023, 5:03 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2964 called NtSetContextThread to modify thread in remote process 3032
NtSetContextThread May 14, 2023, 5:02 p.m.	registers.eip: 1995571652 registers.esp: 3405944 registers.edi: 0 registers.eax: 4310014 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b8 process_identifier: 3032	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2964 resumed a thread in remote process 3032
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3032	1	0	0

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (41 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 14, 2023, 5:02 p.m.	thread_identifier: 2608 thread_handle: 0x0000001c process_identifier: 2604 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\z2427314.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW May 14, 2023, 5:02 p.m.	thread_identifier: 800 thread_handle: 0x00000124 process_identifier: 1404 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\s9868492.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW May 14, 2023, 5:02 p.m.	thread_identifier: 2684 thread_handle: 0x0000001c process_identifier: 2680 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\z4621129.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW May 14, 2023, 5:02 p.m.	thread_identifier: 2968 thread_handle: 0x00000124 process_identifier: 2964 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\r4381038.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW May 14, 2023, 5:02 p.m.	thread_identifier: 2740 thread_handle: 0x0000001c process_identifier: 2736 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\o4121760.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW May 14, 2023, 5:02 p.m.	thread_identifier: 2896 thread_handle: 0x00000124 process_identifier: 2892 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\p7935157.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2964	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2964	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2964	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2964	1	0
NtGetContextThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000188	1	0
NtGetContextThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000188	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2964	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2964	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2964	1	0
CreateProcessInternalW May 14, 2023, 5:02 p.m.	thread_identifier: 3036 thread_handle: 0x000002b8 process_identifier: 3032 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\r4381038.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000002bc	1	1
NtUnmapViewOfSection May 14, 2023, 5:02 p.m.	base_address: 0x00400000 region_size: 4194304 process_identifier: 3032 process_handle: 0x000002bc		3221225497
NtAllocateVirtualMemory May 14, 2023, 5:02 p.m.	process_identifier: 3032 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1	0
NtGetContextThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000002b8	1	0
NtSetContextThread May 14, 2023, 5:02 p.m.	registers.eip: 1995571652 registers.esp: 3405944 registers.edi: 0 registers.eax: 4310014 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b8 process_identifier: 3032	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3032	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 3032	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 3032	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 3032	1	0
NtResumeThread May 14, 2023, 5:03 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 3032	1	0
NtGetContextThread May 14, 2023, 5:03 p.m.	thread_handle: 0x00000188	1	0
NtGetContextThread May 14, 2023, 5:03 p.m.	thread_handle: 0x00000188	1	0
NtResumeThread May 14, 2023, 5:03 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 3032	1	0
NtGetContextThread May 14, 2023, 5:03 p.m.	thread_handle: 0x00000188	1	0
NtGetContextThread May 14, 2023, 5:03 p.m.	thread_handle: 0x00000188	1	0
NtResumeThread May 14, 2023, 5:03 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 3032	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 1404	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 1404	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1404	1	0
NtResumeThread May 14, 2023, 5:02 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 1404	1	0

lega.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All