Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2023, 7:45 a.m.	Sept. 14, 2023, 7:49 a.m.

Size	929.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`0a0d272e135bf0aa2379f588b2391c84`
SHA256	`c4225d1ef734c6703c0478ce14fb5d0518446efb4403094c9a3693724ada2692`
CRC32	`F6AD691C`
ssdeep	`24576:tiuBtZlVSlKQBKzqa5nOjVN5RvOmET9Bedn:AuBflwlKOaq/vOTpMdn`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

foto5445.exe "C:\Users\test22\AppData\Local\Temp\foto5445.exe"
2560
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2748
  - x5569196.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x5569196.exe
    2816
    - x0740785.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\x0740785.exe
      2860
      - g3627214.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\g3627214.exe
        2904
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3040
      - i4566933.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\i4566933.exe
        940
    - j7547682.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\j7547682.exe
      2616
      - P4ZrEvvyKgoUNz0.exe "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe"
        1852
      - cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"
        2300
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"
        2936
  - k0317679.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\k0317679.exe
    2796
    - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      3032

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
5.42.92.211	Active	Moloch
77.91.124.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.82:19071 -> 192.168.56.101:49171	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.82:19071 -> 192.168.56.101:49171	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.82:19071 -> 192.168.56.101:49183	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.82:19071 -> 192.168.56.101:49183	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.82:19071 -> 192.168.56.101:49177	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.82:19071 -> 192.168.56.101:49177	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 77.91.124.82:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (40 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2023, 7:45 a.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:45 a.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:45 a.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:45 a.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:46 a.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:46 a.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:46 a.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:46 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleA Sept. 14, 2023, 7:45 a.m.	buffer: duuyBAYuu8a8 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 14, 2023, 7:45 a.m.	buffer: duuyBAYuu8a8 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 14, 2023, 7:46 a.m.	buffer: duuyBAYuu8a8 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 14, 2023, 7:46 a.m.	buffer: SUCCESS: The scheduled task "\WindowsAppPool\P4ZrEvvyKgoUNz0" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 51 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cb48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cb48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cb48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cb48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cb48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cb48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073cd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073d608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073d608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073d4c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006267a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006267a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00626668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00756010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00756010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00755f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00756190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00756a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00756a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2023, 7:45 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.bsp

One or more processes crashed (50 out of 78 events)

Time & API	Arguments	Status
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0x9bd2c1 0x9bd0c3 0x9b7ad8 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9bd3f8 registers.esp: 3861604 registers.edi: 3861656 registers.eax: 0 registers.ebp: 3861668 registers.edx: 7442968 registers.ebx: 3863108 registers.esi: 44570384 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa594959 0xa5947ba 0xa59468d 0xa5929b3 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859572 registers.edi: 3859872 registers.eax: 0 registers.ebp: 3859884 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 45250280 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa594f24 0xa5947ba 0xa59468d 0xa5929b3 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859860 registers.edi: 3860204 registers.eax: 0 registers.ebp: 3859868 registers.edx: 0 registers.ebx: 3863108 registers.esi: 45250280 registers.ecx: 46500224	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa594959 0xa5947ba 0xa5946a5 0xa5929b3 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859572 registers.edi: 3859872 registers.eax: 0 registers.ebp: 3859884 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 45250280 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa594f24 0xa5947ba 0xa5946a5 0xa5929b3 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859860 registers.edi: 3860204 registers.eax: 0 registers.ebp: 3859868 registers.edx: 0 registers.ebx: 3863108 registers.esi: 45250280 registers.ecx: 44197264	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa594959 0xa5947ba 0xa5946a5 0xa5929b3 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859572 registers.edi: 3859872 registers.eax: 0 registers.ebp: 3859884 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa594f24 0xa5947ba 0xa5946a5 0xa5929b3 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859860 registers.edi: 3860204 registers.eax: 0 registers.ebp: 3859868 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 45556648	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa599448 0xa599299 0xa59468d 0xa593201 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859548 registers.edi: 3859848 registers.eax: 0 registers.ebp: 3859860 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa5999de 0xa599299 0xa59468d 0xa593201 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859836 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859844 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 47098064	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa599448 0xa599299 0xa5946a5 0xa593201 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859548 registers.edi: 3859848 registers.eax: 0 registers.ebp: 3859860 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa5999de 0xa599299 0xa5946a5 0xa593201 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859836 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859844 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 48447752	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa599448 0xa599299 0xa5946a5 0xa593201 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859548 registers.edi: 3859848 registers.eax: 0 registers.ebp: 3859860 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa5999de 0xa599299 0xa5946a5 0xa593201 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859836 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859844 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 49797440	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa599d82 0xa599b91 0xa59468d 0xa59331c 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859600 registers.edi: 3859900 registers.eax: 0 registers.ebp: 3859912 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa59a1ea 0xa599b91 0xa59468d 0xa59331c 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859888 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859896 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44183272 registers.ecx: 44804208	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa599d82 0xa599b91 0xa5946a5 0xa59331c 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859600 registers.edi: 3859900 registers.eax: 0 registers.ebp: 3859912 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa59a1ea 0xa599b91 0xa5946a5 0xa59331c 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859888 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859896 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 46295004	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa599d82 0xa599b91 0xa5946a5 0xa59331c 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859600 registers.edi: 3859900 registers.eax: 0 registers.ebp: 3859912 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa59a1ea 0xa599b91 0xa5946a5 0xa59331c 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859888 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859896 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 47785512	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa59a65c 0xa59a479 0xa59468d 0xa593422 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859632 registers.edi: 3859932 registers.eax: 0 registers.ebp: 3859944 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa59aa1c 0xa59a479 0xa59468d 0xa593422 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859920 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859928 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 44830088	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa59a65c 0xa59a479 0xa5946a5 0xa593422 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859632 registers.edi: 3859932 registers.eax: 0 registers.ebp: 3859944 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa59aa1c 0xa59a479 0xa5946a5 0xa593422 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859920 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859928 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 46323180	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa59a65c 0xa59a479 0xa5946a5 0xa593422 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 a0 b2 c5 04 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa59559a registers.esp: 3859632 registers.edi: 3859932 registers.eax: 0 registers.ebp: 3859944 registers.edx: 80064644 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa59aa1c 0xa59a479 0xa5946a5 0xa593422 0xa5919e1 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3859920 registers.edi: 3860228 registers.eax: 0 registers.ebp: 3859928 registers.edx: 0 registers.ebx: 3863108 registers.esi: 44165796 registers.ecx: 47815984	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa598ed0 0xa59bda3 0xa59b34e 0xa591a39 0x9bd9ff 0x9b7c1d 0x9b72d3 0x9b3c6b 0x9b35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72652652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7266264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72662e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72717610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72cff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72d77f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72d74de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa598f13 registers.esp: 3861012 registers.edi: 3861276 registers.eax: 0 registers.ebp: 3861020 registers.edx: 0 registers.ebx: 3863108 registers.esi: 48357668 registers.ecx: 48364644	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0x8c9899 0x8c969b 0x8c7ad8 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c99d0 registers.esp: 3927412 registers.edi: 3927464 registers.eax: 0 registers.ebp: 3927476 registers.edx: 6374456 registers.ebx: 3928908 registers.esi: 45718780 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9b8041 0xa9b7ea2 0xa9b7d75 0xa9b609b 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925380 registers.edi: 3925680 registers.eax: 0 registers.ebp: 3925692 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 46409368 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9b860c 0xa9b7ea2 0xa9b7d75 0xa9b609b 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925668 registers.edi: 3926012 registers.eax: 0 registers.ebp: 3925676 registers.edx: 0 registers.ebx: 3928908 registers.esi: 46409368 registers.ecx: 47659492	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9b8041 0xa9b7ea2 0xa9b7d8d 0xa9b609b 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925380 registers.edi: 3925680 registers.eax: 0 registers.ebp: 3925692 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 46409368 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9b860c 0xa9b7ea2 0xa9b7d8d 0xa9b609b 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925668 registers.edi: 3926012 registers.eax: 0 registers.ebp: 3925676 registers.edx: 0 registers.ebx: 3928908 registers.esi: 46409368 registers.ecx: 45363496	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9b8041 0xa9b7ea2 0xa9b7d8d 0xa9b609b 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925380 registers.edi: 3925680 registers.eax: 0 registers.ebp: 3925692 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9b860c 0xa9b7ea2 0xa9b7d8d 0xa9b609b 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925668 registers.edi: 3926012 registers.eax: 0 registers.ebp: 3925676 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 46722880	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bcb28 0xa9bc979 0xa9b7d75 0xa9b68e9 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925356 registers.edi: 3925656 registers.eax: 0 registers.ebp: 3925668 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9bd0be 0xa9bc979 0xa9b7d75 0xa9b68e9 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925644 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925652 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 48264844	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bcb28 0xa9bc979 0xa9b7d8d 0xa9b68e9 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925356 registers.edi: 3925656 registers.eax: 0 registers.ebp: 3925668 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9bd0be 0xa9bc979 0xa9b7d8d 0xa9b68e9 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925644 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925652 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 49614532	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bcb28 0xa9bc979 0xa9b7d8d 0xa9b68e9 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925356 registers.edi: 3925656 registers.eax: 0 registers.ebp: 3925668 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9bd0be 0xa9bc979 0xa9b7d8d 0xa9b68e9 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925644 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925652 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 50964220	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bd462 0xa9bd271 0xa9b7d75 0xa9b6a04 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925408 registers.edi: 3925708 registers.eax: 0 registers.ebp: 3925720 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9bd8ca 0xa9bd271 0xa9b7d75 0xa9b6a04 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925696 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925704 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45349352 registers.ecx: 45970488	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bd462 0xa9bd271 0xa9b7d8d 0xa9b6a04 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925408 registers.edi: 3925708 registers.eax: 0 registers.ebp: 3925720 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9bd8ca 0xa9bd271 0xa9b7d8d 0xa9b6a04 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925696 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925704 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 47461284	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bd462 0xa9bd271 0xa9b7d8d 0xa9b6a04 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925408 registers.edi: 3925708 registers.eax: 0 registers.ebp: 3925720 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9bd8ca 0xa9bd271 0xa9b7d8d 0xa9b6a04 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925696 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925704 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 48951792	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bdd3c 0xa9bdb59 0xa9b7d75 0xa9b6b0a 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925440 registers.edi: 3925740 registers.eax: 0 registers.ebp: 3925752 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9be0fc 0xa9bdb59 0xa9b7d75 0xa9b6b0a 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925728 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925736 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 45996104	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bdd3c 0xa9bdb59 0xa9b7d8d 0xa9b6b0a 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925440 registers.edi: 3925740 registers.eax: 0 registers.ebp: 3925752 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bc5b0 0xa9be0fc 0xa9bdb59 0xa9b7d8d 0xa9b6b0a 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9bc5f3 registers.esp: 3925728 registers.edi: 3926036 registers.eax: 0 registers.ebp: 3925736 registers.edx: 0 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 47489196	1
__exception__ Sept. 14, 2023, 7:46 a.m.	stacktrace: 0xa9bdd3c 0xa9bdb59 0xa9b7d8d 0xa9b6b0a 0xa9b50c9 0x8cd9ff 0x8c7c1d 0x8c72d3 0x8c3c6b 0x8c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72572652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7258264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72582e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72637610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72c27f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72c24de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 00 ca c8 00 89 85 04 ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9b8c82 registers.esp: 3925440 registers.edi: 3925740 registers.eax: 0 registers.ebp: 3925752 registers.edx: 13158372 registers.ebx: 3928908 registers.esi: 45331876 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://5.42.92.211/loghub/master

Performs some HTTP requests (1 event)

request

POST http://5.42.92.211/loghub/master

Sends data using the HTTP POST Method (1 event)

request

POST http://5.42.92.211/loghub/master

Allocates read-write-execute memory (usually to unpack itself) (50 out of 306 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7263b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72651000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72652000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715aa000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:46 a.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:46 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e16f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:46 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:46 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7263b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72651000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72652000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715aa000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Sept. 14, 2023, 7:45 a.m.	number_of_free_clusters: 3252706 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 14, 2023, 7:45 a.m.	number_of_free_clusters: 3252706 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 14, 2023, 7:45 a.m.	number_of_free_clusters: 3252493 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 14, 2023, 7:45 a.m.	number_of_free_clusters: 3252493 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 14, 2023, 7:45 a.m.	number_of_free_clusters: 3252380 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 14, 2023, 7:45 a.m.	number_of_free_clusters: 3252380 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 158 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielpathgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnpath
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\gjagmgpathdbbciopjhllkdnddhcglnemk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehpathddafch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghpathoadd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhgnbkkipaallpehbohjmkbjofjdmepath
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\k0317679.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\i4566933.exe
file	C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\j7547682.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x5569196.exe
file	C:\Users\test22\AppData\Local\Temp\pJwAhlqKh3tdgD54.dll
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\g3627214.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\x0740785.exe

Creates a suspicious process (2 events)

cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x5569196.exe
file	C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\k0317679.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 14, 2023, 7:46 a.m.	thread_identifier: 2728 thread_handle: 0x0000030c process_identifier: 1852 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000310	1	1	0
CreateProcessInternalW Sept. 14, 2023, 7:46 a.m.	thread_identifier: 2288 thread_handle: 0x00000318 process_identifier: 2300 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000314	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b6a00', u'virtual_address': u'0x00033000', u'entropy': 7.898360464105062, u'name': u'.bsp', u'virtual_size': u'0x000b6810'}

entropy

7.89836046411

description

A section with a high entropy has been found

entropy

0.786752827141

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 14, 2023, 7:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 7:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 7:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 7:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (29 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Install itself for autorun at Windows startup	rule	Persistence
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 117 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: AddressBook base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Connection Manager base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: EditPlus base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: ENTERPRISE base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Fontcore base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Google Chrome base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: IE40 base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: IE4Data base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: IE5BAKEX base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: IEData base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: MobileOptionPack base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: SchedulingAgent base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: WIC base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000003b4 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: AddressBook base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Connection Manager base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: DirectDrawEx base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: EditPlus base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: ENTERPRISE base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Fontcore base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Google Chrome base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: IE40 base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 14, 2023, 7:46 a.m.	regkey_r: IE4Data base_handle: 0x000002a0 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Sept. 14, 2023, 7:45 a.m.	status_code: 0x00000005 process_identifier: 2968 process_handle: 0x00000120
NtTerminateProcess Sept. 14, 2023, 7:45 a.m.	status_code: 0x00000005 process_identifier: 2968 process_handle: 0x00000120	1
NtTerminateProcess Sept. 14, 2023, 7:45 a.m.	status_code: 0x00000005 process_identifier: 3004 process_handle: 0x00000124
NtTerminateProcess Sept. 14, 2023, 7:45 a.m.	status_code: 0x00000005 process_identifier: 3004 process_handle: 0x00000124	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (2 events)

host	5.42.92.211
host	77.91.124.82

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2748 region_size: 765952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000040	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2968 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120		3221225496
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3004 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000124		3221225496
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000134	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:46 a.m.	process_identifier: 3032 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000dc	1	0

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Sept. 14, 2023, 7:45 a.m.	service_handle: 0x00543488 service_name: WinDefend control_code: 1		0	0
ControlService Sept. 14, 2023, 7:46 a.m.	service_handle: 0x00552268 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (5 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0"

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2904 manipulating memory of non-child process 2968
Process injection	Process 2904 manipulating memory of non-child process 3004
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2968 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120	3221225496	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3004 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000124	3221225496	0

Potential code injection by writing to the memory of another process (11 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dö `j@ °©N@Á ¢´ÀÄ× T@ .textcd `.dataHh@À.idataR j@@.rsrcà ÀØ \|@@.reloc T@B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: Næ@»±¿DSystem\CurrentControlSet\Control\Session Managerrundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"Software\Microsoft\Windows\CurrentVersion\RunOncewextract_cleanup%drundll32.exe %s,InstallHinfSection %s 128 %sPendingFileRenameOperationsDefaultInstallCommand.com /c %s%s /D:%sSystem\CurrentControlSet\Control\Session Manager\FileRenameOperationsSHELL32.DLLDoInfInstallSHBrowseForFolderSHGetPathFromIDList*MEMCABþÿÿÿþÿÿÿ base_address: 0x00408000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: À00D0H0P0X0°0¼0À0R7÷788'8.8W8n888¬8¶8í8ô899.9F9f9\|999¥9¯9Á9ì9:&:K:Q:d:l:ô:/;<;¡;Ü;é;<<A<Y<u<<<<ª<¯<´<º<Ä<Ï<ú<===$=.=<====Ê=>>F>³>¼>Ê>ë>ý>?)?0?O?Z?o?°?È?Õ?é?ü? h000"060000¦0¿0Ë0ì0ò01 1$1/161F1]1f111©1Ã1æ1ò1÷12232?2K2R2s2~22¥2Î2Ú233"3.3d3p3\|33×3ø3"4)424=4Y44¥4±4À4Ç4ì455.5=5N5W5©5´5Ä5Í5ß5ö566<6V66¦6½6î6&7Y77ª7·7¾7å7+8H8T8r8¢8¬8»8F9Z9k999¤9#:q::¸:â:è:ô:; ;W;;Í;Ö;<<<#<<?<Y<x<<<<<¶<Í<Õ<å<õ<= ==6=<=B=I=N=p===°=µ=¿=Î=Ú=ñ=>>>!><>D>U>\>h>p>y>>>²>¾>Ù>)?5?A?X???´?Á?È?Ü?â?ú?0\|0000=0V0g0q0}0000¤0ì0ò0=1M1_1l1q1x111111¥1²1Ì1Ò1b2m2s2¦2²2Ê2Ð2ã2ð23343^3}3¦3¯3Î3ä3ò3ù344(4/4A44444´4º4Æ4Í4Ú41575C5[5a5g5s5555£5©5¯5Ã5É5Ú5ó5ú5666%661696>6j6s6¡6´6Í6Ü6ú6%7_7e7j7{777¯7´7»7Á7±9Å9ê9ó9:G:_:d::¯:µ:»:Æ:Ì:Ò:Ý:î:ö:;;;;/;C;L;U;^;};;;±;Ä;Õ;Þ;ã;#<5<<<®<Ê<Þ<=(=7=a=p=~==Ê=Ò=ð=> >(>>>X>d>l>x>>¯>Ï>â>ö>?!?B?I?x????Ä?Ê?Ü?û?@x50K0^0j0q000ª0°0Ë0Þ0ë01,1Q1_1t11¬1Æ1Í1é120282G2N2e2u2\|222¡2¦2¸2¾2Ä2Ò2Ø2ë23333<3E3X3`3j3333§3Ù3ó3 4%404<4I4¤4Å4Ð4å455F5V5¥5å5626[6h6q6¢6«6Å6Î6Õ6ç6ñ6C77777£7Ä7Ô7ì7ø7%838I8f8q8à89[9e999§9Ã9Ì9Þ9ç9ì9ò9ø9:::5:;:]:m:s::::³:×:â:;;;%;+;3;D;V;p;z;;;;;;¦;Ñ;é;ô;ÿ;#<)<E<V<h<z<<¬<Ê<Ü<ç<7=·=Ì=ß=ä=y> >«>º>Ë>Ú>é>õ>?"?'?,?1?6?;?@?F?^?y??ª?ç?ú?P\|0000!02090F0L0S0b0~0000000£0©0·0½0Ã0È0Ï0ß0ê0ð0111#1<1E1U1[1g1l111 1²1·1Á1ð12$212R2X2c2j2u22 2¨2Â2Î2Ù2ä2ô2ü2333#3,353L3_3e3u3\|333Á3ý344!4-464T4a4s4¬4»4Ë4ê4ñ4ø4ÿ4 55?5I5b5k5q5}55¬5¾5Ñ5ò56"6(636:6G6N6S6a6o66¤6¯6»6õ6 797Ï7Ô7ñ7828>8z8¢8é89$9E9O9^9e9v99ª9±9Ò9:B:f:::§:¾:";7;D;L;T;^;;¾;Í;Ú;þ;ª<ð<Ô=á=ò=ø=þ=>@>¦>°>Î>ã>??$?-?6?B?H?g?q?©?Ã?Ù?` 0040>0¬0³0À0Ü01Á1Ü1è1ó1ú12A2`22¡2´2Ï2Ö2333G3Y3a3¥3Ì3ì3/4<4]4o4\|4¡44Ã4á4û45!5,5:5Y5b5¼566+676`66³6è6C7¯7¼7Ò7Ù7ä7 88+888_8p8©8Ã8Î8ê8ö8949<999¸9Ä9Ê9Ñ9Ú9à9è9î9û9: :!:&:,:1:6:;:@:F:N:m:::¶:Á:Ó:Û:à:å:; ;;;&;5;=;E;Y;a;h;§;±;·;Á;Ü; <<< <)<.<^<x<<<<<¸<Â<Í<â<ù<= ==&=,=2=8=>=D=K=R=Y=`=g=n=u=}====¢=§==·=Á=Ñ=á=ç=ò=ø=>>>0>6><>B>H>N>U>\>c>j>q>x>>>>>¡>¦>¬>¶>À>Ð>Ù>)?A?G?P?W?Ç?ö?pDh0m000±0·0f1111¥1º1Ï1Þ1æ1û12 2&222¥2«2±2Ì2Ð2ì2ð233 2 base_address: 0x004ba000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔãà"0"ò@ `@ @@O`@8 H.textø " `.rsrc`$@@.reloc*@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: P8h`4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b0Comments"CompanyName6FileDescriptionHealer0FileVersion1.0.0.06InternalNameHealer.exeHLegalCopyrightCopyright © 2023*LegalTrademarks>OriginalFilenameHealer.exe.ProductNameHealer4ProductVersion1.0.0.08Assembly Version1.0.0.0¬cêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00406000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: @ô0 base_address: 0x00408000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELªú8à07 @@ @H7S@Và H.text¤ `.rsrcV@@@.relocà¶@B base_address: 0x00400000 process_identifier: 3032 process_handle: 0x000000dc	1	1
WriteProcessMemory Sept. 14, 2023, 7:46 a.m.	buffer: 0 7 base_address: 0x0042e000 process_identifier: 3032 process_handle: 0x000000dc	1	1
WriteProcessMemory Sept. 14, 2023, 7:46 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3032 process_handle: 0x000000dc	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dö `j@ °©N@Á ¢´ÀÄ× T@ .textcd `.dataHh@À.idataR j@@.rsrcà ÀØ \|@@.reloc T@B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔãà"0"ò@ `@ @@O`@8 H.textø " `.rsrc`$@@.reloc*@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELªú8à07 @@ @H7S@Và H.text¤ `.rsrcV@@@.relocà¶@B base_address: 0x00400000 process_identifier: 3032 process_handle: 0x000000dc	1	1

Collects information about installed applications (50 out of 81 events)

Time & API	Arguments	Status
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2023, 7:46 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2748
Process injection	Process 2904 called NtSetContextThread to modify thread in remote process 3040
Process injection	Process 2796 called NtSetContextThread to modify thread in remote process 3032
NtSetContextThread Sept. 14, 2023, 7:45 a.m.	registers.eip: 1995571652 registers.esp: 3735264 registers.edi: 0 registers.eax: 4221536 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2748	1	0	0
NtSetContextThread Sept. 14, 2023, 7:45 a.m.	registers.eip: 1995571652 registers.esp: 1767936 registers.edi: 0 registers.eax: 4210930 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000138 process_identifier: 3040	1	0	0
NtSetContextThread Sept. 14, 2023, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 3930204 registers.edi: 0 registers.eax: 4339614 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 3032	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2748
Process injection	Process 2904 resumed a thread in remote process 3040
Process injection	Process 2796 resumed a thread in remote process 3032
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2748	1	0	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 3040	1	0	0
NtResumeThread Sept. 14, 2023, 7:46 a.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 3032	1	0	0

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 73 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 2752 thread_handle: 0x0000002c process_identifier: 2748 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000040	1	1
NtGetContextThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2748 region_size: 765952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000040	1	0
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dö `j@ °©N@Á ¢´ÀÄ× T@ .textcd `.dataHh@À.idataR j@@.rsrcà ÀØ \|@@.reloc T@B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: base_address: 0x00401000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: Næ@»±¿DSystem\CurrentControlSet\Control\Session Managerrundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"Software\Microsoft\Windows\CurrentVersion\RunOncewextract_cleanup%drundll32.exe %s,InstallHinfSection %s 128 %sPendingFileRenameOperationsDefaultInstallCommand.com /c %s%s /D:%sSystem\CurrentControlSet\Control\Session Manager\FileRenameOperationsSHELL32.DLLDoInfInstallSHBrowseForFolderSHGetPathFromIDList*MEMCABþÿÿÿþÿÿÿ base_address: 0x00408000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: base_address: 0x0040a000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: base_address: 0x0040c000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: À00D0H0P0X0°0¼0À0R7÷788'8.8W8n888¬8¶8í8ô899.9F9f9\|999¥9¯9Á9ì9:&:K:Q:d:l:ô:/;<;¡;Ü;é;<<A<Y<u<<<<ª<¯<´<º<Ä<Ï<ú<===$=.=<====Ê=>>F>³>¼>Ê>ë>ý>?)?0?O?Z?o?°?È?Õ?é?ü? h000"060000¦0¿0Ë0ì0ò01 1$1/161F1]1f111©1Ã1æ1ò1÷12232?2K2R2s2~22¥2Î2Ú233"3.3d3p3\|33×3ø3"4)424=4Y44¥4±4À4Ç4ì455.5=5N5W5©5´5Ä5Í5ß5ö566<6V66¦6½6î6&7Y77ª7·7¾7å7+8H8T8r8¢8¬8»8F9Z9k999¤9#:q::¸:â:è:ô:; ;W;;Í;Ö;<<<#<<?<Y<x<<<<<¶<Í<Õ<å<õ<= ==6=<=B=I=N=p===°=µ=¿=Î=Ú=ñ=>>>!><>D>U>\>h>p>y>>>²>¾>Ù>)?5?A?X???´?Á?È?Ü?â?ú?0\|0000=0V0g0q0}0000¤0ì0ò0=1M1_1l1q1x111111¥1²1Ì1Ò1b2m2s2¦2²2Ê2Ð2ã2ð23343^3}3¦3¯3Î3ä3ò3ù344(4/4A44444´4º4Æ4Í4Ú41575C5[5a5g5s5555£5©5¯5Ã5É5Ú5ó5ú5666%661696>6j6s6¡6´6Í6Ü6ú6%7_7e7j7{777¯7´7»7Á7±9Å9ê9ó9:G:_:d::¯:µ:»:Æ:Ì:Ò:Ý:î:ö:;;;;/;C;L;U;^;};;;±;Ä;Õ;Þ;ã;#<5<<<®<Ê<Þ<=(=7=a=p=~==Ê=Ò=ð=> >(>>>X>d>l>x>>¯>Ï>â>ö>?!?B?I?x????Ä?Ê?Ü?û?@x50K0^0j0q000ª0°0Ë0Þ0ë01,1Q1_1t11¬1Æ1Í1é120282G2N2e2u2\|222¡2¦2¸2¾2Ä2Ò2Ø2ë23333<3E3X3`3j3333§3Ù3ó3 4%404<4I4¤4Å4Ð4å455F5V5¥5å5626[6h6q6¢6«6Å6Î6Õ6ç6ñ6C77777£7Ä7Ô7ì7ø7%838I8f8q8à89[9e999§9Ã9Ì9Þ9ç9ì9ò9ø9:::5:;:]:m:s::::³:×:â:;;;%;+;3;D;V;p;z;;;;;;¦;Ñ;é;ô;ÿ;#<)<E<V<h<z<<¬<Ê<Ü<ç<7=·=Ì=ß=ä=y> >«>º>Ë>Ú>é>õ>?"?'?,?1?6?;?@?F?^?y??ª?ç?ú?P\|0000!02090F0L0S0b0~0000000£0©0·0½0Ã0È0Ï0ß0ê0ð0111#1<1E1U1[1g1l111 1²1·1Á1ð12$212R2X2c2j2u22 2¨2Â2Î2Ù2ä2ô2ü2333#3,353L3_3e3u3\|333Á3ý344!4-464T4a4s4¬4»4Ë4ê4ñ4ø4ÿ4 55?5I5b5k5q5}55¬5¾5Ñ5ò56"6(636:6G6N6S6a6o66¤6¯6»6õ6 797Ï7Ô7ñ7828>8z8¢8é89$9E9O9^9e9v99ª9±9Ò9:B:f:::§:¾:";7;D;L;T;^;;¾;Í;Ú;þ;ª<ð<Ô=á=ò=ø=þ=>@>¦>°>Î>ã>??$?-?6?B?H?g?q?©?Ã?Ù?` 0040>0¬0³0À0Ü01Á1Ü1è1ó1ú12A2`22¡2´2Ï2Ö2333G3Y3a3¥3Ì3ì3/4<4]4o4\|4¡44Ã4á4û45!5,5:5Y5b5¼566+676`66³6è6C7¯7¼7Ò7Ù7ä7 88+888_8p8©8Ã8Î8ê8ö8949<999¸9Ä9Ê9Ñ9Ú9à9è9î9û9: :!:&:,:1:6:;:@:F:N:m:::¶:Á:Ó:Û:à:å:; ;;;&;5;=;E;Y;a;h;§;±;·;Á;Ü; <<< <)<.<^<x<<<<<¸<Â<Í<â<ù<= ==&=,=2=8=>=D=K=R=Y=`=g=n=u=}====¢=§==·=Á=Ñ=á=ç=ò=ø=>>>0>6><>B>H>N>U>\>c>j>q>x>>>>>¡>¦>¬>¶>À>Ð>Ù>)?A?G?P?W?Ç?ö?pDh0m000±0·0f1111¥1º1Ï1Þ1æ1û12 2&222¥2«2±2Ì2Ð2ì2ð233 2 base_address: 0x004ba000 process_identifier: 2748 process_handle: 0x00000040	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2748 process_handle: 0x00000040	1	1
NtSetContextThread Sept. 14, 2023, 7:45 a.m.	registers.eip: 1995571652 registers.esp: 3735264 registers.edi: 0 registers.eax: 4221536 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2748	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2748	1	0
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 2820 thread_handle: 0x0000001c process_identifier: 2816 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\x5569196.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000000dc	1	1
CreateProcessInternalW Sept. 14, 2023, 7:46 a.m.	thread_identifier: 2788 thread_handle: 0x000000dc process_identifier: 2796 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\k0317679.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 2864 thread_handle: 0x0000001c process_identifier: 2860 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\x0740785.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Sept. 14, 2023, 7:46 a.m.	thread_identifier: 2620 thread_handle: 0x00000124 process_identifier: 2616 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\j7547682.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 2908 thread_handle: 0x0000001c process_identifier: 2904 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\g3627214.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 1964 thread_handle: 0x00000124 process_identifier: 940 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\i4566933.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 2972 thread_handle: 0x0000011c process_identifier: 2968 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000120	1	1
NtGetContextThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 2968 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120		3221225496
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: base_address: 0x00000000 process_identifier: 2968 process_handle: 0x00000120		0
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 3008 thread_handle: 0x00000128 process_identifier: 3004 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000124	1	1
NtGetContextThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000128	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3004 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000124		3221225496
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: base_address: 0x00000000 process_identifier: 3004 process_handle: 0x00000124		0
CreateProcessInternalW Sept. 14, 2023, 7:45 a.m.	thread_identifier: 3044 thread_handle: 0x00000138 process_identifier: 3040 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000134	1	1
NtGetContextThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000138	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:45 a.m.	process_identifier: 3040 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000134	1	0
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔãà"0"ò@ `@ @@O`@8 H.textø " `.rsrc`$@@.reloc*@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: base_address: 0x00402000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: P8h`4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b0Comments"CompanyName6FileDescriptionHealer0FileVersion1.0.0.06InternalNameHealer.exeHLegalCopyrightCopyright © 2023*LegalTrademarks>OriginalFilenameHealer.exe.ProductNameHealer4ProductVersion1.0.0.08Assembly Version1.0.0.0¬cêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00406000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: @ô0 base_address: 0x00408000 process_identifier: 3040 process_handle: 0x00000134	1	1
WriteProcessMemory Sept. 14, 2023, 7:45 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3040 process_handle: 0x00000134	1	1
NtSetContextThread Sept. 14, 2023, 7:45 a.m.	registers.eip: 1995571652 registers.esp: 1767936 registers.edi: 0 registers.eax: 4210930 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000138 process_identifier: 3040	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 940	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 940	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 940	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 940	1	0
NtGetContextThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000194	1	0
NtGetContextThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000194	1	0
NtResumeThread Sept. 14, 2023, 7:45 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 940	1	0
CreateProcessInternalW Sept. 14, 2023, 7:46 a.m.	thread_identifier: 2728 thread_handle: 0x0000030c process_identifier: 1852 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW Sept. 14, 2023, 7:46 a.m.	thread_identifier: 2288 thread_handle: 0x00000318 process_identifier: 2300 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\P4ZrEvvyKgoUNz0.exe" /tn "\WindowsAppPool\P4ZrEvvyKgoUNz0" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000314	1	1
NtResumeThread Sept. 14, 2023, 7:46 a.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 1852	1	0
NtResumeThread Sept. 14, 2023, 7:46 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 1852	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.487806
FireEye	Generic.mg.0a0d272e135bf0aa
ALYac	Gen:Variant.Zusy.487806
Malwarebytes	Trojan.Injector
Cybereason	malicious.1c5d81
Arcabit	Trojan.Zusy.D7717E
Cyren	W32/Kryptik.KQV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HTQR
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	VHO:Backdoor.Win32.Agent.gen
BitDefender	Gen:Variant.Zusy.487806
Avast	Win32:CrypterX-gen [Trj]
Emsisoft	Gen:Variant.Zusy.487806 (B)
DrWeb	Trojan.Inject4.61027
VIPRE	Gen:Variant.Zusy.487806
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	suspicious.low.ml.score
Sophos	Generic ML PUA (PUA)
Antiy-AVL	Trojan/Win32.Sabsik
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	VHO:Backdoor.Win32.Agent.gen
GData	Gen:Variant.Zusy.487806
Google	Detected
MAX	malware (ai score=81)
Panda	Trj/GdSda.A
Rising	Trojan.Generic@AI.100 (RDML:pi0ojEbFXsHwYeLWNaby+A)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.121218.susgen
BitDefenderTheta	Gen:NN.ZexaF.36662.6yW@a0dqZvji
AVG	Win32:CrypterX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_70% (D)

foto5445.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All