Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 7, 2023, 8:30 a.m.	Aug. 7, 2023, 8:34 a.m.

Size	556.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`08141df58f30575861b2c703dc47c3a9`
SHA256	`70a169b2a7a3f5eb2f8b99080abaea138453191dfd87241d5ae63f889cad9bbb`
CRC32	`DA05930B`
ssdeep	`12288:QMrAy904vIK2gLWUaj1Ph7QLxSpSY/6MRbUN4NXDT4By0+h:AyjxLEh79EqIN4dDT45I`
PDB Path	wextract.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet IsPE32 - (no description)

fotod250.exe "C:\Users\test22\AppData\Local\Temp\fotod250.exe"
2548
- y2957799.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y2957799.exe
  2600
  - y3402055.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\y3402055.exe
    2680
    - k2171433.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\k2171433.exe
      2724
    - l6830188.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\l6830188.exe
      2912
      - pdates.exe "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe"
        3020
        
        schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        800
        
        cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "test22:N"&&CACLS "pdates.exe" /P "test22:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "test22:N"&&CACLS "..\925e7e99c5" /P "test22:R" /E&&Exit
        2064
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2252
        
        cacls.exe CACLS "pdates.exe" /P "test22:N"
        2260
        
        cacls.exe CACLS "pdates.exe" /P "test22:R" /E
        2452
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2532
        
        cacls.exe CACLS "..\925e7e99c5" /P "test22:N"
        2616
        
        cacls.exe CACLS "..\925e7e99c5" /P "test22:R" /E
        2644
        
        foto5566.exe "C:\Users\test22\AppData\Local\Temp\1000022051\foto5566.exe"
        232
        
        x1934863.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\x1934863.exe
        884
        
        x3988171.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\x3988171.exe
        1792
        
        g5143125.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\g5143125.exe
        2892
        
        h4851432.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\h4851432.exe
        2300
        
        i7766938.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\i7766938.exe
        2900
        
        j6343316.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\j6343316.exe
        2316
        
        fotod250.exe "C:\Users\test22\AppData\Local\Temp\1000023051\fotod250.exe"
        3004
        
        y9567341.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\y9567341.exe
        2056
        
        y1500242.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\y1500242.exe
        2180
        
        k6606455.exe C:\Users\test22\AppData\Local\Temp\IXP007.TMP\k6606455.exe
        1728
        
        l1961203.exe C:\Users\test22\AppData\Local\Temp\IXP007.TMP\l1961203.exe
        2660
        
        m4182332.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\m4182332.exe
        192
        
        du.exe "C:\Users\test22\AppData\Local\Temp\1000024051\du.exe"
        2536
        
        faman.exe "C:\Users\test22\AppData\Local\Temp\1000025051\faman.exe"
        284
        
        regsvr32.exe "C:\Windows\System32\regsvr32.exe" -s .\POie8R5J.7
        1320
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        2916
  - m5117723.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\m5117723.exe
    3068
- n8652199.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n8652199.exe
  2648
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.91.124.156	Active	Moloch
77.91.68.1	Active	Moloch
77.91.68.3	Active	Moloch
77.91.68.61	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49177	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49180 -> 77.91.68.1:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 77.91.68.61:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 77.91.68.61:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49177	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.1:80 -> 192.168.56.101:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.1:80 -> 192.168.56.101:49180	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.1:80 -> 192.168.56.101:49180	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49193 -> 77.91.68.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.3:80 -> 192.168.56.101:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.3:80 -> 192.168.56.101:49193	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.3:80 -> 192.168.56.101:49193	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49184 -> 77.91.68.61:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 77.91.68.1:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.1:80 -> 192.168.56.101:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.1:80 -> 192.168.56.101:49187	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.1:80 -> 192.168.56.101:49187	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49201	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49201	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49207 -> 77.91.68.61:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49207 -> 77.91.68.61:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 77.91.124.156:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.61:80 -> 192.168.56.101:49207	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.61:80 -> 192.168.56.101:49207	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.61:80 -> 192.168.56.101:49207	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49184 -> 77.91.68.61:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 77.91.68.1:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 77.91.68.1:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 77.91.68.61:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49197 -> 77.91.68.61:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 77.91.68.1:80 -> 192.168.56.101:49187	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.1:80 -> 192.168.56.101:49187	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (27 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2023, 8:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (13 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 7, 2023, 8:30 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:30 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:30 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:30 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 8:31 a.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 7, 2023, 8:30 a.m.	buffer: SUCCESS: The scheduled task "pdates.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 7, 2023, 8:30 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 7, 2023, 8:30 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 8:30 a.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (34 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077b7a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077c060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077c060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077bf20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cb60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cb60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cb60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cb60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cbe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cbe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cb60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cb60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069cd60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069d620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069d620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 8:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 7, 2023, 8:30 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 52 events)

Time & API	Arguments	Status
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5dd329 0x5dd12b 0x5d7710 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd460 registers.esp: 3600116 registers.edi: 3600168 registers.eax: 0 registers.ebp: 3600180 registers.edx: 7706600 registers.ebx: 3601620 registers.esi: 47061972 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5182db9 0x5182c1a 0x5182aed 0x5180e13 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598084 registers.edi: 3598384 registers.eax: 0 registers.ebp: 3598396 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 47454936 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x5183384 0x5182c1a 0x5182aed 0x5180e13 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598372 registers.edi: 3598716 registers.eax: 0 registers.ebp: 3598380 registers.edx: 0 registers.ebx: 3601620 registers.esi: 47454936 registers.ecx: 48705060	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5182db9 0x5182c1a 0x5182b05 0x5180e13 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598084 registers.edi: 3598384 registers.eax: 0 registers.ebp: 3598396 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 47454936 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x5183384 0x5182c1a 0x5182b05 0x5180e13 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598372 registers.edi: 3598716 registers.eax: 0 registers.ebp: 3598380 registers.edx: 0 registers.ebx: 3601620 registers.esi: 47454936 registers.ecx: 50135236	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5182db9 0x5182c1a 0x5182b05 0x5180e13 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598084 registers.edi: 3598384 registers.eax: 0 registers.ebp: 3598396 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 47454936 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x5183384 0x5182c1a 0x5182b05 0x5180e13 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598372 registers.edi: 3598716 registers.eax: 0 registers.ebp: 3598380 registers.edx: 0 registers.ebx: 3601620 registers.esi: 47454936 registers.ecx: 47707168	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187e98 0x5187ce9 0x5182aed 0x5181662 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598060 registers.edi: 3598360 registers.eax: 0 registers.ebp: 3598372 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x518842e 0x5187ce9 0x5182aed 0x5181662 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598348 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598356 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 49279752	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187e98 0x5187ce9 0x5182b05 0x5181662 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598060 registers.edi: 3598360 registers.eax: 0 registers.ebp: 3598372 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x518842e 0x5187ce9 0x5182b05 0x5181662 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598348 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598356 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 50802400	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187e98 0x5187ce9 0x5182b05 0x5181662 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598060 registers.edi: 3598360 registers.eax: 0 registers.ebp: 3598372 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x518842e 0x5187ce9 0x5182b05 0x5181662 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598348 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598356 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 52152088	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x51887d2 0x51885e1 0x5182aed 0x518177d 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598112 registers.edi: 3598412 registers.eax: 0 registers.ebp: 3598424 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x5188c3a 0x51885e1 0x5182aed 0x518177d 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598400 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598408 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46633504 registers.ecx: 47273808	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x51887d2 0x51885e1 0x5182b05 0x518177d 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598112 registers.edi: 3598412 registers.eax: 0 registers.ebp: 3598424 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x5188c3a 0x51885e1 0x5182b05 0x518177d 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598400 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598408 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 48764604	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x51887d2 0x51885e1 0x5182b05 0x518177d 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598112 registers.edi: 3598412 registers.eax: 0 registers.ebp: 3598424 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x5188c3a 0x51885e1 0x5182b05 0x518177d 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598400 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598408 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 50255112	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x51890ac 0x5188ec9 0x5182aed 0x5181883 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598144 registers.edi: 3598444 registers.eax: 0 registers.ebp: 3598456 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x518946c 0x5188ec9 0x5182aed 0x5181883 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598432 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598440 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 47299680	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x51890ac 0x5188ec9 0x5182b05 0x5181883 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598144 registers.edi: 3598444 registers.eax: 0 registers.ebp: 3598456 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x518946c 0x5188ec9 0x5182b05 0x5181883 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598432 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598440 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 48792772	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x51890ac 0x5188ec9 0x5182b05 0x5181883 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 86 a5 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x51839fa registers.esp: 3598144 registers.edi: 3598444 registers.eax: 0 registers.ebp: 3598456 registers.edx: 10847276 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x518946c 0x5188ec9 0x5182b05 0x5181883 0x5dfc31 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3598432 registers.edi: 3598740 registers.eax: 0 registers.ebp: 3598440 registers.edx: 0 registers.ebx: 3601620 registers.esi: 46629604 registers.ecx: 50285576	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x5187330 0x518a7f3 0x5189d9e 0x5dfc89 0x5dd9ff 0x5d7855 0x5d6f0b 0x5d3c6b 0x5d35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71c82652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71c9264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71c92e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71d474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71d47610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71dd1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71dd1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71dd1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71dd416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c7f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5187373 registers.esp: 3599524 registers.edi: 3599788 registers.eax: 0 registers.ebp: 3599532 registers.edx: 0 registers.ebx: 3601620 registers.esi: 50827260 registers.ecx: 50834236	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x7c9841 0x7c9643 0x7c7710 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c9978 registers.esp: 4122772 registers.edi: 4122824 registers.eax: 0 registers.ebp: 4122836 registers.edx: 6789096 registers.ebx: 4124276 registers.esi: 44800672 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x1066d21 0x1066b82 0x1066a55 0x1064d7b 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120740 registers.edi: 4121040 registers.eax: 0 registers.ebp: 4121052 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 45468432 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x10672ec 0x1066b82 0x1066a55 0x1064d7b 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121028 registers.edi: 4121372 registers.eax: 0 registers.ebp: 4121036 registers.edx: 0 registers.ebx: 4124276 registers.esi: 45468432 registers.ecx: 46718376	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x1066d21 0x1066b82 0x1066a6d 0x1064d7b 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120740 registers.edi: 4121040 registers.eax: 0 registers.ebp: 4121052 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 45468432 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x10672ec 0x1066b82 0x1066a6d 0x1064d7b 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121028 registers.edi: 4121372 registers.eax: 0 registers.ebp: 4121036 registers.edx: 0 registers.ebx: 4124276 registers.esi: 45468432 registers.ecx: 44467208	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x1066d21 0x1066b82 0x1066a6d 0x1064d7b 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120740 registers.edi: 4121040 registers.eax: 0 registers.ebp: 4121052 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x10672ec 0x1066b82 0x1066a6d 0x1064d7b 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121028 registers.edi: 4121372 registers.eax: 0 registers.ebp: 4121036 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 45826592	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106bdf8 0x106bc49 0x1066a55 0x10655ca 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120716 registers.edi: 4121016 registers.eax: 0 registers.ebp: 4121028 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106c38e 0x106bc49 0x1066a55 0x10655ca 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121004 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121012 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 47384120	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106bdf8 0x106bc49 0x1066a6d 0x10655ca 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120716 registers.edi: 4121016 registers.eax: 0 registers.ebp: 4121028 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106c38e 0x106bc49 0x1066a6d 0x10655ca 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121004 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121012 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 48733808	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106bdf8 0x106bc49 0x1066a6d 0x10655ca 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120716 registers.edi: 4121016 registers.eax: 0 registers.ebp: 4121028 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106c38e 0x106bc49 0x1066a6d 0x10655ca 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121004 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121012 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 50083496	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106c732 0x106c541 0x1066a55 0x10656e5 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120768 registers.edi: 4121068 registers.eax: 0 registers.ebp: 4121080 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106cb9a 0x106c541 0x1066a55 0x10656e5 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121056 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121064 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44453260 registers.ecx: 45092512	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106c732 0x106c541 0x1066a6d 0x10656e5 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120768 registers.edi: 4121068 registers.eax: 0 registers.ebp: 4121080 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106cb9a 0x106c541 0x1066a6d 0x10656e5 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121056 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121064 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 46583308	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106c732 0x106c541 0x1066a6d 0x10656e5 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120768 registers.edi: 4121068 registers.eax: 0 registers.ebp: 4121080 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106cb9a 0x106c541 0x1066a6d 0x10656e5 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121056 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121064 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 48073816	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106d00c 0x106ce29 0x1066a55 0x10657eb 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120800 registers.edi: 4121100 registers.eax: 0 registers.ebp: 4121112 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106d3cc 0x106ce29 0x1066a55 0x10657eb 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121088 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121096 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 45107236	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106d00c 0x106ce29 0x1066a6d 0x10657eb 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120800 registers.edi: 4121100 registers.eax: 0 registers.ebp: 4121112 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106b290 0x106d3cc 0x106ce29 0x1066a6d 0x10657eb 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x106b2d3 registers.esp: 4121088 registers.edi: 4121396 registers.eax: 0 registers.ebp: 4121096 registers.edx: 0 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 46600328	1
__exception__ Aug. 7, 2023, 8:31 a.m.	stacktrace: 0x106d00c 0x106ce29 0x1066a6d 0x10657eb 0x1063da9 0x7cd9ff 0x7c7855 0x7c6f0b 0x7c3c6b 0x7c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72582652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7259264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72592e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72647610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ca7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ca4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 e0 c6 f4 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1067962 registers.esp: 4120800 registers.edi: 4121100 registers.eax: 0 registers.ebp: 4121112 registers.edx: 16041156 registers.ebx: 4124276 registers.esi: 44439976 registers.ecx: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.61/rock/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.1/new/foto5566.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.1/new/fotod250.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.1/smo/du.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.3/fuzz/faman.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.61/rock/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.61/rock/Plugins/clip64.dll

Performs some HTTP requests (7 events)

request	POST http://77.91.68.61/rock/index.php
request	GET http://77.91.68.1/new/foto5566.exe
request	GET http://77.91.68.1/new/fotod250.exe
request	GET http://77.91.68.1/smo/du.exe
request	GET http://77.91.68.3/fuzz/faman.exe
request	GET http://77.91.68.61/rock/Plugins/cred64.dll
request	GET http://77.91.68.61/rock/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.68.61/rock/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 406 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4ee3000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3f4a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef44b5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3f4b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000021f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef38b4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe941ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe941d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe941b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9410c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2296000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefeffd000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94221000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9411b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9414c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9411d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9410a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:30 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

pdates.exe tried to sleep 143 seconds, actually delayed analysis time by 143 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (18 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Aug. 7, 2023, 8:30 a.m.	number_of_free_clusters: 3251998 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:30 a.m.	number_of_free_clusters: 3251998 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:30 a.m.	number_of_free_clusters: 3251865 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:30 a.m.	number_of_free_clusters: 3251865 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:30 a.m.	number_of_free_clusters: 3251762 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:30 a.m.	number_of_free_clusters: 3251762 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3250501 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3250501 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3250368 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3250368 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3250265 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3250265 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3249917 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3249917 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3249783 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3249783 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3249168 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2023, 8:31 a.m.	number_of_free_clusters: 3249168 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (24 events)

file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\m4182332.exe
file	C:\Users\test22\AppData\Local\Temp\IXP007.TMP\l1961203.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\n3271323.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\g5143125.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y2957799.exe
file	C:\Users\test22\AppData\Local\Temp\1000024051\du.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n8652199.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\m5117723.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\k2171433.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\x1934863.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\j6343316.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\l6830188.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\i7766938.exe
file	C:\Users\test22\AppData\Local\Temp\1000023051\fotod250.exe
file	C:\Users\test22\AppData\Local\Temp\1000025051\faman.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\x3988171.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\y9567341.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\y3402055.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\y1500242.exe
file	C:\Users\test22\AppData\Local\Temp\1000022051\foto5566.exe
file	C:\Users\test22\AppData\Local\Temp\IXP007.TMP\k6606455.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\h4851432.exe

Creates a suspicious process (6 events)

cmdline	regsvr32 -s .\POie8R5J.7
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "pdates.exe" /P "test22:N"&&CACLS "pdates.exe" /P "test22:R" /E&&echo Y\|CACLS "..\925e7e99c5" /P "test22:N"&&CACLS "..\925e7e99c5" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
cmdline	"C:\Windows\System32\regsvr32.exe" -s .\POie8R5J.7

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe
file	C:\Users\test22\AppData\Local\Temp\1000022051\foto5566.exe
file	C:\Users\test22\AppData\Local\Temp\1000023051\fotod250.exe
file	C:\Users\test22\AppData\Local\Temp\1000024051\du.exe
file	C:\Users\test22\AppData\Local\Temp\1000025051\faman.exe

Drops an executable to the user AppData folder (11 events)

file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\y1500242.exe
file	C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\n3271323.exe
file	C:\Users\test22\AppData\Local\Temp\1000025051\faman.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\y9567341.exe
file	C:\Users\test22\AppData\Local\Temp\1000022051\foto5566.exe
file	C:\Users\test22\AppData\Local\Temp\1000023051\fotod250.exe
file	C:\Users\test22\AppData\Local\Temp\pOie8R5J.7
file	C:\Users\test22\AppData\Local\Temp\1000024051\du.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\m4182332.exe

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 7, 2023, 8:30 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe	1	1
ShellExecuteExW Aug. 7, 2023, 8:30 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Aug. 7, 2023, 8:30 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "pdates.exe" /P "test22:N"&&CACLS "pdates.exe" /P "test22:R" /E&&echo Y\|CACLS "..\925e7e99c5" /P "test22:N"&&CACLS "..\925e7e99c5" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Aug. 7, 2023, 8:31 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000022051\foto5566.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000022051\foto5566.exe	1	1
ShellExecuteExW Aug. 7, 2023, 8:31 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000023051\fotod250.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000023051\fotod250.exe	1	1
ShellExecuteExW Aug. 7, 2023, 8:31 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000024051\du.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000024051\du.exe	1	1
ShellExecuteExW Aug. 7, 2023, 8:31 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000025051\faman.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000025051\faman.exe	1	1
ShellExecuteExW Aug. 7, 2023, 8:31 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process pdates.exe (5 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 7, 2023, 8:31 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dF`j@ a @Á ¢´ÀÈ&ðT@ .textcd `.dataHh@À.idataR j@@.rsrc0À(\|@@.relocð ¤@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 7, 2023, 8:31 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dJ`j@ ª»@Á ¢´ÀØðT@ .textcd `.dataHh@À.idataR j@@.rsrc0À,\|@@.relocð ¨@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @Àt*Mðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 7, 2023, 8:31 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv àe\|³P^¡¿jV%ý}ÕG YJ%¹ÓªüB Ï¸"7ôàÀðT·TëÕ1xjÕ$!ÌI7#G«7qa`öGÓ¤ÂÂ¤_ª¦ÎÀDn\Ä¢oÔ¯°×x^=ÑöàÝ4v¥,¬û¿ð3æÀçyÇÍ:½~Oð¬[·&°L~í[8i,5D¦rövÎ'j>ï@ÃÑÄéæÍ°×²ÚLR~Æm=Oª°hÁÞgÈHè°³¯¶å}0§ø`¾â ×~A?ZìP»b1 f,óë.éÊ¬RºUµS¤g ðÞófò_ïøÛB'³wU}+Öï#ú×=,ÉÝÔ¡vÚËÍK_#ý¡wE&ÙÚÖ]DÔïC©#å¤mµO´7À=îv!¹çÏÁa"-GH©Ô3&ûVxê±wÐóg¾¢%ÑMJ£ËLöÏ²1#0\|Cyãvt-ÆÔ øý$Kx`è$Á»#8§ Q¯ «V d#Äèé{fÃå' üÒnÜtu(rì<$tuFáqVèutÃs4$Äë ÄîÍë¢ëõÄ¢ëÀó±ñÆë XV_ërëø«¬ë²ñ0ÐªâóutÔÓÆ4$ÄutËBÎÄ\|$üÃUåVWëB1Ohn$Äë\Cëïëqüj`YëAë÷_ëãië¶ëº(ëa×ëõ:èCÿÿÿ+ £e$£] ¡ßyéÁøÊÒq«É+\.øÊÒÃ:ìÏ@F:((£,«ì,Ã-<AÃÇÓÃ"xWbBHqÃ-é4ÃßNÃ%_wY1(((Ã-·ÃÝÀËÖ××_^ÉÂUåUSVWëÑ2.¸!ëdëõë_GKh$ÄëVëïë\|w×.j2$ÄëëòÊèþÿÿg¹G:¹O>éÌõßò=âòÚ11G Ú·2222ú G56 A0T£ÁÄðòJ+£G8²ÈÚd222Ù:ÌþÄðF/ÌþÙ+H<²È´ÒÚ2220Ù4ÄðG7´Ò§ 560;G&Ú2222úG;6A6FT£¤=ß¿F2Á¤ÛDÍÍÍÇâêÚ5222:úâòÓñÄíK1¡¡6àù=ëñoO>Ù?Ø¶Z!22jÙ7#ÙÆßÙ&T{x8Z2322¹>±ö6Ù7ý>ÙÝ;Ù#a±X¹&±ö6Ù7pFÙÀ´Ú¢ÏÍÍø_^[]ÉÂUåìSVWë orG£¸tëgëõë;àÆ@sh YëSíëô·ë ô÷üºëð5ëõ¹è=ýÿÿ^2ÃF÷Nv~TUTUëþüü®VûVÿF÷2Êik3QRSiüüPÃvüv÷Uëýüü8FûvNèÄF÷]\TUëQþüüèµ2Õ¢Ækw[èv©è÷¦èKúk£ZèÎÆè÷Åè_c ¹èîèö8ëÿüüEô_^[ÉÂUåì`SVWë ´ÎPì¸këWëõâëãÆø¿Eh$Äë\Òëïëé7ðZhZë:ÞëôèFüÿÿÙµ{ ùHâlâDð{ÁH{×ÌD¤ Á ñ$ ºÒÔ{×ÈD ÉT ý ñ\îÒ{×C v ÉT ÁtÕÖîÄÔ{×ôD\ ÁpîÓÓÔî{î{{ñt{D? ù\| Á4 üCÔ ñ(ÓìîÔÓîÒ{×ðDñÞ{ñ4ÁL Á8 ¼ ÉLîÓîÕÓÓÓÔî{{²{×üDñ³ Á@ ¼ ÉLîÓîÕÓÓÓÔ{ñp{²{×üDññ8ìÒÓ{×¤Á {Á\| Á4ÉE ü ñ,ÓìîÄÔÓîÒ{×ðDù\|{ñ4ÁL Á< ¼ ÉLîÓîÕÓÓÓÔî{{²{×üDZ ÁD ¼ ÉLî¤ÓîÕÓÓÓÔ{ñp{²{×üD8lñðT@@ð xojtooqo3uBöÒo\|PVÂì© @o½pok8oíMÒKsyìä¦ÞoxopQo3£ícöÖÜo}o\|Òo3EfoÀá3uFoÈè3uµDo!=(oÈú3uFof@o3uvËcGoPoo}ñ²3ÊÒ vùHðFoF\|ÕÎMðþù<öñw F¬Ýf`ÚùHðâlÛka } ~EM«F \|M«ì)Ôl~{{ÁD uÑ<· } ~E´Fº Â¬ÁDÉ@Ñp·oåÒÒ°¯ÑD 2$²ñ<ºð¬ºÊmUmBµDâ)-´ð¡{Á<\|fcoWÚÊ¬ÉDµ{ Áx ¼ÓÔ{ñ@ÕÓÓÓÓÓ{ñp{oìl{×mLx{{o×ö~ÄìïÜoü]op[oãì @oJok!o¬s#¦þì @oVokÛl5\|{{_^[ÉÂUåìSVWëÅ'KhZ$Äëê¾ëïë<iC·jw$Äë6ëòë7MÄhÇ$ÄëUÏëïxèWøÿÿLÏ¯OÔÇÇ8ÛJ;8²×8²Ë/q=88B³Ê8²Ó8²;/_<88Ç88Ô,Ó"¦°´z¯ÞÇÇLÃãDÃ,Â,(¤,Éê É~°ÇÇÇ,Â\,2ª,È`{¯ÇÇÇ,ÂÓ(,3Ó/'088_^[ÉÂUåìTSVWëRkh"$Äëa.ëïëiqt¹Üë6ëõOëj·"jZëº@ë÷ñè÷ÿÿEðmlåÞkFóö2ó0óí0óPQ¢éÞjNó\¾Q·Âpã5AóPFóìUóþ:px:<ÜóRó÷óWÃJ<Üóqßóë/óþÙúó¢éÚó¾¢é)Øó ô´ó¨¢éÚóúÚóØÚ¢éêWÿÛóÔ1ÌóóáÔ¨ãççNrrççKDØÔ´ãçç¥¬ãççHrOrç.çKxØµg8¸¤åççpNrçK8ð*hjw{}kk8{ytt8{j}yl}8:=k:@NHOçKHÜmÜr$NçKß$ðjmvyk@^ðouq{@^fçK\^NçKpØlàrrççó [wàÄp:<Üó¡ùó÷:ó$/Û6úpÄAó¬óìóJ®µ¢r<ÜóÜóêÊð«íçç_^[ÉÂUåSVWë0Ü¼ÈhW$Äë^¬ëïÑëÆ-³¤j`$Äëìfëò½ëÄ¯íh¶$ÄëÎëïwèZõÿÿ=ë¾=Ãº3@Â¯v?AÐÐ3vÂ¸æI%¶¶¶5r²Ð]]]¹jËÞáª¶¶î]³8]B\]¸È¬Ö¶¶¶]³¤]C8]ºÎ¶¶¶]³uT]Cñ^LBII_^[ÉÂUåìSVWë0?¸h $Äë,ÞëïëxwJÑû¼hÖYëwMëôïëJ5óðºëËëõ¸è¤ôÿÿU×nÏ£RçeÅô?ôRæÂm:Vô9yyzÕã÷ÿçäûàæûýäÿåóà÷äðýêê÷üÌÍ¬æÄÅm2VRçTyuyU×nyø¼ÎúÊy²ÔyfWy`VF8Ï+DyÚygy¿óð·V(yÎúygaz\ammEü_^[ÉÂUåìSVWë'f+h= request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 7, 2023, 8:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù=LF¸SF¸SF¸Sò$¢K¸Sò$ Ë¸Sò$¡^¸SÆÃ®D¸SÆÃWU¸SÆÃPQ¸SÆÃVt¸SOÀÐM¸SOÀÀA¸SF¸RN¹SÈÃV`¸SÈÃSG¸SÈÃ¬G¸SÈÃQG¸SRichF¸SPEL·ÏÈdà!~à]@À@Á04dP°øßT)@T8³@,\ .text}~ `.rdataæ¦¨@@.data \@@À.didatx :@À.rsrcøß°à<@@.relocT)@BhOCè%ÃÌÌÌÌÌh Bè¯IYÃÌÌÌÌèèZ£8àCÃÌÌÌÌÌ¹HàCéUiÌÌÌÌÌÌ¹PåCèbßh°BèuIYÃÌÌÌÌÌÌÌÌÌÌ¹øaFèéFhÀBèUIYÃÌÌÌÌÌÌÌÌÌÌ¹EéÑÌÌÌÌÌÌ¹°Eè¡)hÐBè%IYÃÌÌÌÌÌÌÌÌÌÌ¹EèFhàBèIYÃÌÌÌÌÌÌÌÌÌÌ¹®EèhðBèåHYÃÌÌÌÌÌÌÌÌÌÌhBèÏHYÃÌÌÌÌUìì,EüVPÿ\| FÀu`E3ÉEÜÔýÿÿEäEEèEÜPMàÇEìAMðMôÿl Fðöt)SÿuVÿp FMüÀVQÃrÎÿ,BÿÖÃ[ë2À^ÉÂÌÂ¶D$Pÿt$ÿt$ÿL¡FPÿH¡FÂ¶D$÷ØÀà Pÿt$ÿt$ÿL¡FPÿX¡FÂUì}0tY}u]E ¹°E$¶ÀPÿuÿuè6öE t>ÿuÿ@¡FÀt1h!0PÿL¡FÀt!öE thBPÿD¡Fë ÿu¹°Eè62À]ÂUìE=rEPEPè`EPÿuèøCYY]Â¸Bè÷CQVñWuðè§²èW3ÿ`²}üèøV¼²ÆEüèéV³ÆEüèÚVt³ÆEüèËVÐ³ÆEüè~D¾à³¾ä³¾è³ÎÆEüèMôÆ_^d ÉÃ9tÿ1èkYÃéÅéèÿÿÿÁ³éW¸ èaCSUVWjjÿ´$( è{$ Øè·W½é¢D$Pè%ð·Qè_$¼$ tÀt3ÀfëÀtUhBD$PèUjjD$ûPèðf>*u:·NQè$Àt,j.Xj\f$XUf$$SPèxU¼$ÿ´$( WVèÀu'$ D$UPè¡VÀDÿÿÿ_^][Ä Â°ëïUìVjÿuñÿuÿu`²PèàþÿÿÀt°ë,}t$¾Ð²tjÿu¼²ÿuÿuPè²þÿÿÀtÒ2À^]ÂVñèõ3À²fâf¢fØÜàè>V`²è3V¼²è(V³èVt³èVÐ³è¿Cà³;ä³tä³^ÃQQSUVt$(Wùöt\|$0v3ÀfL$3ÛCSjéi(D$Ïÿt$l$ UèäþÿÿÀu4Ç²Ï\|$è¯UÏëÿt$$UWèÀuL$CèìTøÿuá3À_^][YYÂl$ ítÿt$WèS÷ØÀþÀEötÿt$0WVè«SÃëÉD$L$#Pü+ÂÀüøwÂèPÌVñ>tF+àøPÿ6èIüÿÿ3ÀFF^ÃT$Vt$W\|$öt¶¶Â3ÈÁê3OCGîuè_Â^ÂVt$3À9Fu(WjÈ_ÑÑêöÁÊtñ ¸íïuê@=rÚ_^ÂUììLM´ÿuèøM´èQ]ÉÂUììLM´ÿuèÛÿuE´PèaM´è(]ÉÂUììLM´ÿuè²ÿuE´ÿuPèPM´èü\ÉÂUììLM´ÿuèÿuE´PèLM´èÓ\ÉÂL$Q@úsD$ÿA@ÂL$Q@úsD$ÿA@ÿt$QèÃÿÿÿÂL$Q@ús D$ÿA@Â3ÀÇAAfAÁÃVWñ¸BjYþó«j 3ÿF WPèÒND$Ä~@~DFHÆ_^ÂVD$ñPjèÐþÿÿjÎèä^ÂjèÙD$ÆÂVñ~ uè ÿt$ÿt$è$_ÀuÆF ë2À^ÂVñ~uD$Pj èrþÿÿÎèÐjÎè^ÂVD$ñPD$Pj èsþÿÿÎè¨j ÎèW^Âé#UììEPjÿuøÿÿhPèÄøÿÿPjèRþÿÿMèZÉÃÿBÀt$jÿt$ÿt$hPjhÿBÀÀë2ÀÂVñèjÎè¡^ÃVjñèýÿÿjÎè·^ÃVD$ñPD$PjèýÿÿÎèâjÎèètX^Âÿt$jèÈÿÿÿÂVÿt$ñjè jÎè8^ÂVD$ñPD$PjèWýÿÿÎèjÎè;^Âÿt$jèÍÿÿÿÂVñ~uD$Pjè÷üÿÿÎèUjÎèÙ^ÂT$Âètèt&èt-üu9uÿAÂ9tõÇëí9t9uãÇëÛìD$hPèþÿÿÀtmSUVj [j t$]t$W·f;Ãtf;ÅuÆëît$fÀt<SVè:QøYYÿuUVè+QøYYÿt3ÀfÇD$Pjè#üÿÿ÷t$ÿu©_^][ÄÃUìQVuþÿuyu^ÉÂVè ÿÿÿh¤CEüuüPèxQÌD$PD$Pj!èóûÿÿj¹EèÛþÿÿÂVÿt$ñÿt$è jÎèÿÿÿ^ÂVD$ñPD$Pj è³ûÿÿÎèèþÿÿjÎèþÿÿ^Â¸oCÃUìÿuÿuÿuÿuÿuèãÿÿÿÿpÿ0èªÄÀyÈÿ]ÃIÿ3ÀfA2AAfA4A0fA$AA(A,ÁÇBfÇAÆAÇA Ã3À $ÁÃUìd¡jÿh£BPd%yÿÇBtyuytè{ëèFMôd ÉÃÌÌÌÌÌÌÌÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 7, 2023, 8:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPELÅl¾dà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00082a00', u'virtual_address': u'0x0000c000', u'entropy': 7.890108246848947, u'name': u'.rsrc', u'virtual_size': u'0x00083000'}

entropy

7.89010824685

description

A section with a high entropy has been found

entropy

0.941441441441

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 7, 2023, 8:30 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 7, 2023, 8:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 7, 2023, 8:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 7, 2023, 8:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 7, 2023, 8:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: AddressBook base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Connection Manager base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: EditPlus base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: ENTERPRISE base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Fontcore base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Google Chrome base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: IE40 base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: IE4Data base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: IE5BAKEX base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: IEData base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: MobileOptionPack base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: SchedulingAgent base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: WIC base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000003cc key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: AddressBook base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Connection Manager base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: EditPlus base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: ENTERPRISE base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Fontcore base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Google Chrome base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: IE40 base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 7, 2023, 8:31 a.m.	regkey_r: IE4Data base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (4 events)

host	77.91.124.156
host	77.91.68.1
host	77.91.68.3
host	77.91.68.61

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Aug. 7, 2023, 8:30 a.m.	service_handle: 0x000000001aac4d20 service_name: None control_code: 1		0	0
ControlService Aug. 7, 2023, 8:30 a.m.	service_handle: 0x000000001aac4f60 service_name: None control_code: 1		0	0

Installs itself for autorun at Windows startup (15 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto5566.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000022051\foto5566.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fotod250.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000023051\fotod250.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\du.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000024051\du.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\faman.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000025051\faman.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP006.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP007.TMP\"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\test22\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Aug. 7, 2023, 8:31 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Aug. 7, 2023, 8:31 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 7, 2023, 8:31 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Network activity contains more than one unique useragent (2 events)

process	pdates.exe				useragent
process	n8652199.exe				useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 resumed a thread in remote process 1320
NtResumeThread Aug. 7, 2023, 8:31 a.m.	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 1320	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "pdates.exe" /P "test22:N"&&CACLS "pdates.exe" /P "test22:R" /E&&echo Y\|CACLS "..\925e7e99c5" /P "test22:N"&&CACLS "..\925e7e99c5" /P "test22:R" /E&&Exit
cmdline	cmd /k echo Y\|CACLS "pdates.exe" /P "test22:N"&&CACLS "pdates.exe" /P "test22:R" /E&&echo Y\|CACLS "..\925e7e99c5" /P "test22:N"&&CACLS "..\925e7e99c5" /P "test22:R" /E&&Exit
cmdline	CACLS "..\925e7e99c5" /P "test22:R" /E
cmdline	CACLS "..\925e7e99c5" /P "test22:N"
cmdline	CACLS "pdates.exe" /P "test22:N"
cmdline	CACLS "pdates.exe" /P "test22:R" /E

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\1000024051\du.exe"
cmdline	C:\Users\test22\AppData\Local\Temp\1000024051\du.exe

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

fotod250.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All