Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 3, 2023, 1:56 p.m.	Oct. 3, 2023, 1:58 p.m.

Size	451.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`76599bf790a73e2b744baf9a32e85f68`
SHA256	`7ad4833a0a350da2896e61f57df12dd34e3f22c8e80e75184550b61176594eb0`
CRC32	`71CC2617`
ssdeep	`6144:UJCvLUCa8FDbtUhB8wNHVi2dpgaUIVdrjc:UwLFjFUhB1HVx1JVe`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

explorer.exe "C:\Users\test22\AppData\Local\Temp\explorer.exe"
3048
- schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe'"
  2380
- explorer.exe "C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe"
  2512

Name	Response	Post-Analysis Lookup
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.68.143

IP Address	Status	Action
104.20.68.143	Active	Moloch
164.124.101.2	Active	Moloch
185.236.228.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 104.20.68.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 104.20.68.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd

Queries for the computername (50 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 3, 2023, 1:56 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 3, 2023, 1:56 p.m.			0	0
IsDebuggerPresent Oct. 3, 2023, 1:56 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 3, 2023, 1:56 p.m.	buffer: SUCCESS: The scheduled task "LimeRAT-Admin" has successfully been created. console_handle: 0x00000007	1	1	0

One or more processes crashed (22 events)

Time & API	Arguments	Status
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x6205be 0x620333 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e81b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e98dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73ea6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73ea6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73ea6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73f46a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73f469ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73f46eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73f470b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73f46fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 56 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x620711 registers.esp: 3273016 registers.edi: 40521576 registers.eax: 0 registers.ebp: 3273060 registers.edx: 158 registers.ebx: 3273244 registers.esi: 40551456 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740333 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ec6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ec69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ec6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ec70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ec6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x743bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 2028072 registers.edi: 39866540 registers.eax: 0 registers.ebp: 2028116 registers.edx: 158 registers.ebx: 2028300 registers.esi: 39896420 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 39 09 e8 dc 4d 86 72 85 c0 0f 8e 78 ff ff ff 8b exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740afd registers.esp: 95809232 registers.edi: 0 registers.eax: 1 registers.ebp: 95809272 registers.edx: 4194303999 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740f47 0x740e16 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 98104028 registers.edi: 39866540 registers.eax: 0 registers.ebp: 98104072 registers.edx: 158 registers.ebx: 40067060 registers.esi: 40075284 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740f47 0x740fcd mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 96989980 registers.edi: 39866540 registers.eax: 0 registers.ebp: 96990024 registers.edx: 158 registers.ebx: 40083444 registers.esi: 40090824 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 39 09 e8 72 a2 3f 72 eb 11 8b c8 e8 d9 3d 4b 73 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7418c7 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 0 registers.ebp: 95809224 registers.edx: 4194303999 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 44 eb 11 8b c8 e8 bb 3d 4b 73 e8 e2 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7418e7 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 7608545 registers.ebp: 95809224 registers.edx: 95809184 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 74 eb 11 8b c8 e8 9d 3d 4b 73 e8 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x741905 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 7608575 registers.ebp: 95809224 registers.edx: 95809184 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740f47 0x741fbf 0x7410fc mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018440 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018484 registers.edx: 158 registers.ebx: 40091660 registers.esi: 40099180 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x74205a 0x741fe0 0x7410fc mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018436 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018480 registers.edx: 158 registers.ebx: 40067968 registers.esi: 40671500 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740f47 0x742102 0x74110c mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018440 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018484 registers.edx: 158 registers.ebx: 40091724 registers.esi: 40711340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x74205a 0x742122 0x74110c mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018436 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018480 registers.edx: 158 registers.ebx: 40067968 registers.esi: 40758868 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740f47 0x74212d 0x74110c mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018440 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018484 registers.edx: 158 registers.ebx: 40091724 registers.esi: 40806436 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740f47 0x7421b7 0x741125 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018436 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018480 registers.edx: 158 registers.ebx: 40091796 registers.esi: 40845796 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x74205a 0x7421d7 0x741125 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018432 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018476 registers.edx: 158 registers.ebx: 40067968 registers.esi: 40893324 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:56 p.m.	stacktrace: 0x7405be 0x740f47 0x7421e2 0x741125 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 1f 8b c8 e8 ee c6 3e exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x740711 registers.esp: 103018436 registers.edi: 39866540 registers.eax: 0 registers.ebp: 103018480 registers.edx: 158 registers.ebx: 40091796 registers.esi: 40940996 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:57 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 44 eb 11 8b c8 e8 bb 3d 4b 73 e8 e2 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7418e7 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 0 registers.ebp: 95809224 registers.edx: 1055 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:57 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 74 eb 11 8b c8 e8 9d 3d 4b 73 e8 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x741905 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 7608575 registers.ebp: 95809224 registers.edx: 95809184 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:57 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 44 eb 11 8b c8 e8 bb 3d 4b 73 e8 e2 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7418e7 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 0 registers.ebp: 95809224 registers.edx: 1055 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:57 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 74 eb 11 8b c8 e8 9d 3d 4b 73 e8 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x741905 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 7608575 registers.ebp: 95809224 registers.edx: 95809184 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:57 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 44 eb 11 8b c8 e8 bb 3d 4b 73 e8 e2 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7418e7 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 0 registers.ebp: 95809224 registers.edx: 1055 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1
__exception__ Oct. 3, 2023, 1:57 p.m.	stacktrace: 0x740dc4 mscorlib+0x216e76 @ 0x71de6e76 mscorlib+0x2202ff @ 0x71df02ff mscorlib+0x216df4 @ 0x71de6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e01b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e18dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73e26a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73e26a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73e26a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73ea3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73e5192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73e518cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73e517f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73e5197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73ea2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73ea303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73f6805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 ff 50 74 eb 11 8b c8 e8 9d 3d 4b 73 e8 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x741905 registers.esp: 95809184 registers.edi: 95809208 registers.eax: 7608575 registers.ebp: 95809224 registers.edx: 95809184 registers.ebx: 39870452 registers.esi: 39866340 registers.ecx: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://pastebin.com/raw/7chtuSCB

Performs some HTTP requests (1 event)

request

GET https://pastebin.com/raw/7chtuSCB

Allocates read-write-execute memory (usually to unpack itself) (50 out of 73 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00443000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00444000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 1:56 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorer.exe tried to sleep 429 seconds, actually delayed analysis time by 429 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe'"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 3, 2023, 1:56 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 3, 2023, 1:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 3, 2023, 1:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe'"

Communicates with host for which no DNS query was performed (1 event)

host

185.236.228.50

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe'"

Network communications indicative of possible code injection originated from the process explorer.exe (6 events)

Time & API	Arguments	Status	Return
send Oct. 3, 2023, 1:56 p.m.	buffer: okeÉ1_kÜ+:ð"6Køíg½¹ïtâ/5 ÀÀÀ À 28*ÿpastebin.com socket: 1452 sent: 116	1	116
send Oct. 3, 2023, 1:56 p.m.	buffer: FBA.úeÎË¿¿L¹¾Åõ-4é3ÓïÌÚR_ÝÖKñ0Ò!lHíÈþ«²Yv/rs¦iË[åàQbê¤® 0ã_(Ø''ù÷Ç==¡¼±mCyÅÓ8ú<3¡LnÎwú`º socket: 1452 sent: 134	1	134
send Oct. 3, 2023, 1:56 p.m.	buffer: `?G§yq$4Õ?iÉ \í2xCý®ÍÜÔ}³Ý±JkÎAY¬°ÓÛãèõÆÂ±\`¤ 63$ÛèÉwxTÚ].)IYM±óÄªuhØbÂ÷õ socket: 1452 sent: 101	1	101
send Oct. 3, 2023, 1:57 p.m.	buffer: PùÓîÚ¾âÈ åÒÄ¶\|a÷°£¨añuã2 gÜZÖZ-/% )ÔïõDzÏ këäô¿õò`-Ú Ñ3Ë¤»î1,{ socket: 1452 sent: 85	1	85
send Oct. 3, 2023, 1:57 p.m.	buffer: PÄE®ØHÛéÿ¤ºÅî«[x¼LÁ·Óíiå53![±¦áË<Égú1ÿç,ÚlhcB^®&lñK¤#^åûçc¥ù socket: 1452 sent: 85	1	85
send Oct. 3, 2023, 1:57 p.m.	buffer: PX Ë#kq®hUâB¾ÌêÖ5ï? è¬là¨2@ä¥pQ·Å< £rM@]AYÆ7º´pP'FÀ\|³\|ì¼ðGÞ socket: 1452 sent: 85	1	85

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe:Zone.Identifier

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 3, 2023, 1:56 p.m.	thread_identifier: 1116 thread_handle: 0x00000518 process_identifier: 2512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe" filepath_r: C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000051c	1	1	0
ShellExecuteExW Oct. 3, 2023, 1:56 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe parameters: filepath: C:\Users\test22\AppData\Roaming\WinExplorer\explorer.exe	1	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.236.228.50:6775

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.Win32.Generic.mein
Elastic	Windows.Trojan.Limerat
MicroWorld-eScan	Generic.MSIL.LimeRAT.433BCB8A
ClamAV	Win.Malware.Barys-6836745-0
FireEye	Generic.mg.76599bf790a73e2b
ALYac	Generic.MSIL.LimeRAT.433BCB8A
Malwarebytes	Generic.Malware.AI.DDS
VIPRE	Generic.MSIL.LimeRAT.433BCB8A
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005684c61 )
Alibaba	Backdoor:MSIL/LimeRAT.5118b87b
K7GW	Trojan ( 005684c61 )
Cybereason	malicious.33d311
Arcabit	Generic.MSIL.LimeRAT.433BCB8A
BitDefenderTheta	Gen:NN.ZemsilF.36738.CmW@aOM2CPe
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/LimeRAT.C.gen!Eldorado
Symantec	Trojan.LimeRat
ESET-NOD32	a variant of MSIL/Agent.BPK
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Tasker.gen
BitDefender	Generic.MSIL.LimeRAT.433BCB8A
Avast	Win32:CrypterX-gen [Trj]
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
Emsisoft	Generic.MSIL.LimeRAT.433BCB8A (B)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	Trojan.DownLoader29.2373
Zillya	Trojan.Agent.Win32.3713389
TrendMicro	Coinminer.MSIL.LIMERAT.SMA
McAfee-GW-Edition	BehavesLike.Win32.Generic.gm
Trapmine	malicious.high.ml.score
Sophos	Mal/LimeRAT-A
Ikarus	Trojan.MSIL.Agent
Avira	TR/Dropper.Gen7
MAX	malware (ai score=80)
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Backdoor:MSIL/LimeRAT.A!MTB
ViRobot	Trojan.Win.Z.Limerat.462336
ZoneAlarm	HEUR:Trojan.MSIL.Tasker.gen
GData	MSIL.Backdoor.LimeRat.B
Google	Detected
AhnLab-V3	Win-Trojan/LimeRAT.Exp
McAfee	GenericRXIW-YI!76599BF790A7
VBA32	Backdoor.MSIL.Lime.Heur
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Coinminer.MSIL.LIMERAT.SMA
Tencent	Trojan.Msil.Tasker.za
SentinelOne	Static AI - Malicious PE

explorer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All