Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2023, 7:47 a.m.	Oct. 6, 2023, 7:56 a.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`53ffe4a2e5ff91672c96597ebece2470`
SHA256	`7eb34e73b59921ae4892ecf57f60f033217eac603455914c02158114a6d073e0`
CRC32	`C9035D7D`
ssdeep	`49152:jXXYNZaNo9/ywQo/cL9RMQa1oCeE2PQOnb:LXIi/wQvL95uoCj24On`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

foto3553.exe "C:\Users\test22\AppData\Local\Temp\foto3553.exe"
1880
- LN8mW9ty.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\LN8mW9ty.exe
  2112
  - xi2IL2aC.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xi2IL2aC.exe
    2156
    - mI5WY8ei.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\mI5WY8ei.exe
      2240
      - AY2yg0ZK.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\AY2yg0ZK.exe
        2292
        
        1af13hO1.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1af13hO1.exe
        2336
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2384
        
        GiE6UzXAHqzzY1B.exe "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe"
        2720
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        4548
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef26c6e00,0x7fef26c6e10,0x7fef26c6e20
        4612
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
        2052
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
        3200
        
        J9gHKT9nvgbi3o1.exe "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe"
        3096
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3504
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        5056
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x134,0x138,0x13c,0x108,0x140,0x7fef25c6e00,0x7fef25c6e10,0x7fef25c6e20
        5108
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
        3160
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
        3336
        
        NvoO7emaO6N0CgX.exe "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe"
        3272
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
        3364
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
        3692
        
        QR1quzyXCWpIaCo.exe "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe"
        3444
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
        3604
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
        3944
        
        TID1kUKJVi1qfvO.exe "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe"
        3736
        
        W4LCHeXwJ8D8ORK.exe "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe"
        2944
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3772
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"
        3932
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"
        3264
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
        3356
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
        2872
        
        0rnK339j3YfQnJa.exe "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe"
        3520
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
        3856
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
        2108
        
        2UP350IV.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2UP350IV.exe
        2444
      - 3zc6jy08.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zc6jy08.exe
        3024
    - 4uV842oz.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4uV842oz.exe
      3068
      - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2092
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        4744
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef25c6e00,0x7fef25c6e10,0x7fef25c6e20
        4800
  - 5Kh12Tz.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5Kh12Tz.exe
    2200
    - explothe.exe "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe"
      2352
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        2960
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
        1700
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2004
        
        cacls.exe CACLS "explothe.exe" /P "test22:N"
        2528
        
        cacls.exe CACLS "explothe.exe" /P "test22:R" /E
        2332
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3064
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:N"
        2140
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:R" /E
        2252
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000010041\1.ps1"
        3044
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
        3556
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3556 CREDAT:145409
        4008
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
        3876
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef25c6e00,0x7fef25c6e10,0x7fef25c6e20
        3232
      - rus.exe "C:\Users\test22\AppData\Local\Temp\1000011051\rus.exe"
        3480
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2544
      - foto3553.exe "C:\Users\test22\AppData\Local\Temp\1000012051\foto3553.exe"
        3296
        
        Xo7lZ2zB.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Xo7lZ2zB.exe
        3040
        
        Vq5kH4tS.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Vq5kH4tS.exe
        2652
        
        HM0Nb2IZ.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\HM0Nb2IZ.exe
        3448
        
        oD9pg8wy.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\oD9pg8wy.exe
        4084
        
        1GW74XK8.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\1GW74XK8.exe
        2480
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        4108
        
        2uX315Hd.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\2uX315Hd.exe
        4220
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        4988
        
        3Aw3ON84.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\3Aw3ON84.exe
        3924
        
        4Ye142Yf.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4Ye142Yf.exe
        4480
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        4540
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        4616
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef26c6e00,0x7fef26c6e10,0x7fef26c6e20
        2232
        
        5tj76QQ.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5tj76QQ.exe
        4704
        
        6gX51Dp.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6gX51Dp.exe
        4600
        
        cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\FCF4.tmp\FCF5.tmp\FCF6.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6gX51Dp.exe"
        4784
      - nano.exe "C:\Users\test22\AppData\Local\Temp\1000013051\nano.exe"
        4148
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        4348
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        4500
- 6RG67Gn.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6RG67Gn.exe
  2428
  - cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\D54.tmp\D55.tmp\D66.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6RG67Gn.exe"
    2644
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2456
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2456 CREDAT:145409
        536
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2456 CREDAT:79877
        4924

Name	Response	Post-Analysis Lookup
accounts.google.com	A 142.251.130.13	172.217.25.173
fbcdn.net	A 157.240.215.35	157.240.215.35
facebook.com	A 157.240.215.35	157.240.215.35
ssl.gstatic.com	A 172.217.24.67	172.217.25.163
www.google.com	A 142.251.130.4	142.250.206.228
static.xx.fbcdn.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14
fbsbx.com	A 157.240.215.35	157.240.215.35
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
connect.facebook.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.251.130.13	Active	Moloch
142.251.130.4	Active	Moloch
157.240.215.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.67	Active	Moloch
5.42.92.211	Active	Moloch
77.91.124.1	Active	Moloch
77.91.124.55	Active	Moloch
77.91.68.52	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 5.42.92.211:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 77.91.124.55:19071 -> 192.168.56.103:49172	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49172	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49206 -> 142.251.130.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 142.251.130.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49222	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49194 -> 77.91.68.52:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 192.168.56.103:49241 -> 142.251.130.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49240 -> 142.251.130.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49243 -> 142.251.130.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 142.251.130.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49194 -> 77.91.68.52:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 77.91.68.52:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 77.91.124.1:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49192 -> 77.91.124.1:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 77.91.68.52:80 -> 192.168.56.103:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.52:80 -> 192.168.56.103:49194	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.52:80 -> 192.168.56.103:49194	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49253 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49201	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49222	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49212 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49260 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49263 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49295 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49305 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49247 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49201	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49292 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49247 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49298 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49265	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49280 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49265	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49291 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49299 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49312 -> 142.251.130.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49315 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49277 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49277 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 77.91.124.1:80 -> 192.168.56.103:49277	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.1:80 -> 192.168.56.103:49277	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.124.1:80 -> 192.168.56.103:49277	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.124.55:19071 -> 192.168.56.103:49180	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 77.91.124.1:80 -> 192.168.56.103:49277	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49289 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49294 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49293 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49300 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49308 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49313 -> 142.251.130.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49316 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 77.91.68.52:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49180	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49246 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49296 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49297 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 77.91.68.52:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49268 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49285	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49303 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49304 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49307 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49285	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49206 142.251.130.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49205 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49207 142.251.130.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49241 142.251.130.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49240 142.251.130.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49243 142.251.130.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	c9:f6:98:54:a9:56:99:75:0a:10:b7:bd:95:70:40:74:3a:b0:b0:77
TLSv1 192.168.56.103:49242 142.251.130.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	c9:f6:98:54:a9:56:99:75:0a:10:b7:bd:95:70:40:74:3a:b0:b0:77
TLSv1 192.168.56.103:49245 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49212 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49213 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49295 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49302 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	3e:9d:94:ef:d3:b8:3c:ca:ad:c6:db:b3:42:e7:6a:d7:eb:29:42:b3
TLSv1 192.168.56.103:49305 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	3e:9d:94:ef:d3:b8:3c:ca:ad:c6:db:b3:42:e7:6a:d7:eb:29:42:b3
TLSv1 192.168.56.103:49292 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49298 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49291 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49299 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49312 142.251.130.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49315 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49289 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49294 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49293 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49300 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49308 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49313 142.251.130.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49316 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49246 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49290 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4
TLSv1 192.168.56.103:49296 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49297 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49303 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	3e:9d:94:ef:d3:b8:3c:ca:ad:c6:db:b3:42:e7:6a:d7:eb:29:42:b3
TLSv1 192.168.56.103:49304 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	3e:9d:94:ef:d3:b8:3c:ca:ad:c6:db:b3:42:e7:6a:d7:eb:29:42:b3
TLSv1 192.168.56.103:49307 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	33:0b:09:35:a5:7b:39:65:48:d5:32:5e:a7:aa:c3:b4:39:20:6d:c4

Queries for the computername (50 out of 92 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 7:48 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 71 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:48 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:49 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:49 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:49 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:49 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:49 a.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 7:49 a.m.			0	0

Command line console output was observed (50 out of 98 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: "" https://www.facebook.com/login console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: "" https://accounts.google.com console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: SUCCESS: The scheduled task "explothe.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2023, 7:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 6, 2023, 7:48 a.m.	buffer: e console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 150 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00887ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00888608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00888608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008884c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d8868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d8868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d8868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d8868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d88e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d88e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d87e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d87e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d87e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d87e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d87e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d8868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d8868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d8a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d91a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d91a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004d9068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00307550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003803d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003803d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003803d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003803d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003803d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2023, 7:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003803d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2023, 7:47 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 116 events)

Time & API	Arguments	Status
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7ec13d 0x7ebf0e 0x7e6cad 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ec278 registers.esp: 3862132 registers.edi: 3862184 registers.eax: 0 registers.ebp: 3862196 registers.edx: 8663952 registers.ebx: 3863412 registers.esi: 41097912 registers.ecx: 0	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd2b08 0x7cd25b9 0x7cd24d5 0x7cd0bdb 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860720 registers.edi: 3861004 registers.eax: 0 registers.ebp: 3860728 registers.edx: 0 registers.ebx: 3863412 registers.esi: 41747864 registers.ecx: 42874188	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd2b08 0x7cd25b9 0x7cd24ed 0x7cd0bdb 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860720 registers.edi: 3861004 registers.eax: 0 registers.ebp: 3860728 registers.edx: 0 registers.ebx: 3863412 registers.esi: 41747864 registers.ecx: 44180128	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd2b08 0x7cd25b9 0x7cd24ed 0x7cd0bdb 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860720 registers.edi: 3861004 registers.eax: 0 registers.ebp: 3860728 registers.edx: 0 registers.ebx: 3863412 registers.esi: 41747864 registers.ecx: 41632032	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd72a6 0x7cd6cf8 0x7cd24d5 0x7cd1352 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860680 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860688 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40697332 registers.ecx: 43088936	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd72a6 0x7cd6cf8 0x7cd24ed 0x7cd1352 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860680 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860688 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40697332 registers.ecx: 44638992	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd72a6 0x7cd6cf8 0x7cd24ed 0x7cd1352 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860680 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860688 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40697332 registers.ecx: 45988664	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd796a 0x7cd7548 0x7cd24d5 0x7cd1454 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860744 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860752 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40697332 registers.ecx: 40957768	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd796a 0x7cd7548 0x7cd24ed 0x7cd1454 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860744 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860752 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40683324 registers.ecx: 42355960	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd796a 0x7cd7548 0x7cd24ed 0x7cd1454 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860744 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860752 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40683324 registers.ecx: 43754152	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd7e72 0x7cd7a98 0x7cd24d5 0x7cd1541 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860764 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860772 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40683324 registers.ecx: 45152424	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd7e72 0x7cd7a98 0x7cd24ed 0x7cd1541 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860764 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860772 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40683324 registers.ecx: 41984568	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd7e72 0x7cd7a98 0x7cd24ed 0x7cd1541 0x7ef06e 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3860764 registers.edi: 3861020 registers.eax: 0 registers.ebp: 3860772 registers.edx: 0 registers.ebx: 3863412 registers.esi: 40683324 registers.ecx: 43385504	1
__exception__ Oct. 6, 2023, 7:47 a.m.	stacktrace: 0x7cd69f0 0x7cd8e47 0x7cd8619 0x7ef09c 0x7ec7af 0x7e6d75 0x7e6886 0x7e34ab 0x7e2f10 0x7e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cd6a33 registers.esp: 3861648 registers.edi: 3861928 registers.eax: 0 registers.ebp: 3861656 registers.edx: 0 registers.ebx: 3863412 registers.esi: 43953000 registers.ecx: 43960084	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x8e88a5 0x8e8676 0x8e6cad 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e89e0 registers.esp: 3403428 registers.edi: 3403480 registers.eax: 0 registers.ebp: 3403492 registers.edx: 4867448 registers.ebx: 3404708 registers.esi: 39827140 registers.ecx: 0	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x7547bf0 0x75476a1 0x75475bd 0x7545cc3 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402016 registers.edi: 3402300 registers.eax: 0 registers.ebp: 3402024 registers.edx: 0 registers.ebx: 3404708 registers.esi: 40977360 registers.ecx: 42103492	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x7547bf0 0x75476a1 0x75475d5 0x7545cc3 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402016 registers.edi: 3402300 registers.eax: 0 registers.ebp: 3402024 registers.edx: 0 registers.ebx: 3404708 registers.esi: 40977360 registers.ecx: 39782128	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x7547bf0 0x75476a1 0x75475d5 0x7545cc3 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402016 registers.edi: 3402300 registers.eax: 0 registers.ebp: 3402024 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39523776 registers.ecx: 41086728	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x7547bf0 0x754beb0 0x75475bd 0x7546157 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402016 registers.edi: 3402300 registers.eax: 0 registers.ebp: 3402024 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39523776 registers.ecx: 42577480	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x7547bf0 0x754beb0 0x75475d5 0x7546157 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402016 registers.edi: 3402300 registers.eax: 0 registers.ebp: 3402024 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39523776 registers.ecx: 43882080	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x7547bf0 0x754beb0 0x75475d5 0x7546157 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402016 registers.edi: 3402300 registers.eax: 0 registers.ebp: 3402024 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39523776 registers.ecx: 45186680	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754c71e 0x754c170 0x75475bd 0x754643a 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3401976 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3401984 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39523776 registers.ecx: 40078604	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754c71e 0x754c170 0x75475d5 0x754643a 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3401976 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3401984 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 41428264	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754c71e 0x754c170 0x75475d5 0x754643a 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3401976 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3401984 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 42777936	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754cde2 0x754c9c0 0x75475bd 0x754653c 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402040 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3402048 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 39567236	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754cde2 0x754c9c0 0x75475d5 0x754653c 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402040 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3402048 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 40825736	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754cde2 0x754c9c0 0x75475d5 0x754653c 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402040 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3402048 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 42223928	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754d2ea 0x754cf10 0x75475bd 0x7546629 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402060 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3402068 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 43622200	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754d2ea 0x754cf10 0x75475d5 0x7546629 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402060 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3402068 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 40587160	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754d2ea 0x754cf10 0x75475d5 0x7546629 0x7544f86 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402060 registers.edi: 3402316 registers.eax: 0 registers.ebp: 3402068 registers.edx: 0 registers.ebx: 3404708 registers.esi: 39490172 registers.ecx: 41988096	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x754bae8 0x754e2bf 0x754da91 0x7544fb4 0x8ec7af 0x8e6d75 0x8e6886 0x8e34ab 0x8e2f10 0x8e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x754bb2b registers.esp: 3402944 registers.edi: 3403224 registers.eax: 0 registers.ebp: 3402952 registers.edx: 0 registers.ebx: 3404708 registers.esi: 42555592 registers.ecx: 42562676	1
__exception__ Oct. 6, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 106623976 registers.edi: 74925756 registers.eax: 106623976 registers.ebp: 106624056 registers.edx: 100947557 registers.ebx: 106624340 registers.esi: 2147746133 registers.ecx: 74733232	1
__exception__ Oct. 6, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6adb540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6adb52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6ae90ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 76404288 registers.edi: 1974991376 registers.eax: 76404288 registers.ebp: 76404368 registers.edx: 1 registers.ebx: 74656860 registers.esi: 2147746133 registers.ecx: 1475535402	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x9d878d 0x9d855e 0x9d6cad 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9d88c8 registers.esp: 3141236 registers.edi: 3141288 registers.eax: 0 registers.ebp: 3141300 registers.edx: 3889552 registers.ebx: 3142508 registers.esi: 42569892 registers.ecx: 0	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a53e00 0x4a538b1 0x4a537cd 0x4a51ed3 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139824 registers.edi: 3140108 registers.eax: 0 registers.ebp: 3139832 registers.edx: 0 registers.ebx: 3142508 registers.esi: 43314652 registers.ecx: 44440964	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a53e00 0x4a538b1 0x4a537e5 0x4a51ed3 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139824 registers.edi: 3140108 registers.eax: 0 registers.ebp: 3139832 registers.edx: 0 registers.ebx: 3142508 registers.esi: 43314652 registers.ecx: 45746904	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a53e00 0x4a538b1 0x4a537e5 0x4a51ed3 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139824 registers.edi: 3140108 registers.eax: 0 registers.ebp: 3139832 registers.edx: 0 registers.ebx: 3142508 registers.esi: 43314652 registers.ecx: 43226392	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a53e00 0x4a580b8 0x4a537cd 0x4a52367 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139824 registers.edi: 3140108 registers.eax: 0 registers.ebp: 3139832 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42227532 registers.ecx: 44718096	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a53e00 0x4a580b8 0x4a537e5 0x4a52367 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139824 registers.edi: 3140108 registers.eax: 0 registers.ebp: 3139832 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42227532 registers.ecx: 46157648	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a53e00 0x4a580b8 0x4a537e5 0x4a52367 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139824 registers.edi: 3140108 registers.eax: 0 registers.ebp: 3139832 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42227532 registers.ecx: 47462248	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a58926 0x4a58378 0x4a537cd 0x4a5264a 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139784 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139792 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42227532 registers.ecx: 42483680	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a58926 0x4a58378 0x4a537e5 0x4a5264a 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139784 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139792 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 43833352	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a58926 0x4a58378 0x4a537e5 0x4a5264a 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139784 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139792 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 45183024	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a58fea 0x4a58bc8 0x4a537cd 0x4a5274c 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139848 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139856 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 46532760	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a58fea 0x4a58bc8 0x4a537e5 0x4a5274c 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139848 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139856 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 43317856	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a58fea 0x4a58bc8 0x4a537e5 0x4a5274c 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139848 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139856 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 44716048	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a594f2 0x4a59118 0x4a537cd 0x4a52839 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139868 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139876 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 46114320	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a594f2 0x4a59118 0x4a537e5 0x4a52839 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139868 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139876 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 47770552	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a594f2 0x4a59118 0x4a537e5 0x4a52839 0x4a51196 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3139868 registers.edi: 3140124 registers.eax: 0 registers.ebp: 3139876 registers.edx: 0 registers.ebx: 3142508 registers.esi: 42209292 registers.ecx: 42718860	1
__exception__ Oct. 6, 2023, 7:48 a.m.	stacktrace: 0x4a57cf0 0x4a5a4c7 0x4a59c99 0x4a511c4 0x9dc7af 0x9d6d75 0x9d6886 0x9d34ab 0x9d2f10 0x9d2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a57d33 registers.esp: 3140752 registers.edi: 3141032 registers.eax: 0 registers.ebp: 3140760 registers.edx: 0 registers.ebx: 3142508 registers.esi: 43286356 registers.ecx: 43293440	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://5.42.92.211/loghub/master
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.124.1/theme/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/1.ps1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/rus.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/foto3553.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/nano.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/clip64.dll

Performs some HTTP requests (43 events)

request	POST http://5.42.92.211/loghub/master
request	POST http://77.91.124.1/theme/index.php
request	GET http://77.91.68.52/fuza/1.ps1
request	GET http://77.91.68.52/fuza/rus.exe
request	GET http://77.91.68.52/fuza/foto3553.exe
request	GET http://77.91.68.52/fuza/nano.exe
request	GET http://77.91.124.1/theme/Plugins/cred64.dll
request	GET http://77.91.124.1/theme/Plugins/clip64.dll
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2064279959%3A1696546472842958
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/_/bscframe
request	GET https://accounts.google.com/favicon.ico
request	GET https://www.google.com/favicon.ico
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1912069806%3A1696546479888140
request	GET https://accounts.google.com/generate_204?qq0oQg
request	GET https://accounts.google.com/generate_204?qMW9GQ
request	GET https://www.facebook.com/login
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
request	GET https://facebook.com/security/hsts-pixel.gif?c=3.2.5
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
request	GET https://fbcdn.net/security/hsts-pixel.gif?c=2.5
request	GET https://fbsbx.com/security/hsts-pixel.gif?c=5
request	GET https://connect.facebook.net/security/hsts-pixel.gif
request	GET https://www.facebook.com/favicon.ico
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S906761759%3A1696546534329684
request	GET https://accounts.google.com/generate_204?zRkItw

Sends data using the HTTP POST Method (2 events)

request	POST http://5.42.92.211/loghub/master
request	POST http://77.91.124.1/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 3073 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb65000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e6b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c8a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74711000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c0f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df4e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ddcb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explothe.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (20 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2425543 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2425543 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2425132 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2425132 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2424737 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2424737 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2424060 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2424060 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2423859 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:47 a.m.	number_of_free_clusters: 2423859 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2421085 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2421085 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2420665 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2420665 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2419756 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2419756 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2419079 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2419079 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2418750 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 7:48 a.m.	number_of_free_clusters: 2418750 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (8 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2456 crashed
Application Crash	Process iexplore.exe with pid 3556 crashed
Application Crash	Process chrome.exe with pid 5056 crashed
__exception__ Oct. 6, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 106623976 registers.edi: 74925756 registers.eax: 106623976 registers.ebp: 106624056 registers.edx: 100947557 registers.ebx: 106624340 registers.esi: 2147746133 registers.ecx: 74733232	1	0	0
__exception__ Oct. 6, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6adb540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6adb52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6ae90ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 76404288 registers.edi: 1974991376 registers.eax: 76404288 registers.ebp: 76404368 registers.edx: 1 registers.ebx: 74656860 registers.esi: 2147746133 registers.ecx: 1475535402	1	0	0
__exception__ Oct. 6, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 107606348 registers.edi: 6913460 registers.eax: 107606348 registers.ebp: 107606428 registers.edx: 234 registers.ebx: 107606712 registers.esi: 2147746133 registers.ecx: 93643208	1	0	0
__exception__ Oct. 6, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x446 CreateURLMoniker-0x1418 urlmon+0x1c5f7 @ 0x752fc5f7 GetIDNFlagsForUri+0x1eb2 CreateIUriBuilder-0x8e7 urlmon+0x21ba9 @ 0x75301ba9 GetIDNFlagsForUri+0x19d4 CreateIUriBuilder-0xdc5 urlmon+0x216cb @ 0x753016cb GetIDNFlagsForUri+0x193d CreateIUriBuilder-0xe5c urlmon+0x21634 @ 0x75301634 GetIDNFlagsForUri+0xe85 CreateIUriBuilder-0x1914 urlmon+0x20b7c @ 0x75300b7c GetIDNFlagsForUri+0x12e3 CreateIUriBuilder-0x14b6 urlmon+0x20fda @ 0x75300fda CompareSecurityIds+0x207a GetClassFileOrMime-0x3330 urlmon+0x33246 @ 0x75313246 RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6adb540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6adb52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6ae90ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 64538664 registers.edi: 1974991376 registers.eax: 64538664 registers.ebp: 64538744 registers.edx: 1 registers.ebx: 7144060 registers.esi: 2147746133 registers.ecx: 1379854189	1	0	0
__exception__ Oct. 6, 2023, 7:49 a.m.	stacktrace: 0x1c2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1c2e04 registers.r14: 250408728 registers.r15: 85657024 registers.rcx: 1332 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 250407984 registers.rsp: 250407704 registers.r11: 250411600 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1328 registers.r12: 250408344 registers.rbp: 250407840 registers.rdi: 75775904 registers.rax: 1846784 registers.r13: 85143392	1	0	0

Steals private information from local Internet browsers (50 out of 183 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielpathgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\gjagmgpathdbbciopjhllkdnddhcglnemk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehpathddafch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghpathoadd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-651F7A75-1208.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnpath
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml

Creates executable files on the filesystem (38 events)

file	C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\LN8mW9ty.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Vq5kH4tS.exe
file	C:\Users\test22\AppData\Local\Temp\D54.tmp\D55.tmp\D66.bat
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4uV842oz.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xi2IL2aC.exe
file	C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\1000013051\nano.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\mI5WY8ei.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\oD9pg8wy.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Xo7lZ2zB.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5tj76QQ.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\2uX315Hd.exe
file	C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe
file	C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4Ye142Yf.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1af13hO1.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\HM0Nb2IZ.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6RG67Gn.exe
file	C:\Users\test22\AppData\Local\Temp\1000012051\foto3553.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\C7x9HQY1590[1].js
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2UP350IV.exe
file	C:\Users\test22\AppData\Local\Temp\TWO0vAYL5jlVX0HM.dll
file	C:\Users\test22\AppData\Local\Temp\FCF4.tmp\FCF5.tmp\FCF6.bat
file	C:\Users\test22\AppData\Local\Temp\1000010041\1.ps1
file	C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\1GW74XK8.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\4Gbx36-Nu9e[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\3Aw3ON84.exe
file	C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\AY2yg0ZK.exe
file	C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe
file	C:\Users\test22\AppData\Local\Temp\1000011051\rus.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5Kh12Tz.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zc6jy08.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6gX51Dp.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000010041\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (20 events)

cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000010041\1.ps1"
cmdline	Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000010041\1.ps1"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"

Drops a binary and executes it (10 events)

file	C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe
file	C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe
file	C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe
file	C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe
file	C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe
file	C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe
file	C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe
file	C:\Users\test22\AppData\Local\Temp\1000011051\rus.exe
file	C:\Users\test22\AppData\Local\Temp\1000012051\foto3553.exe
file	C:\Users\test22\AppData\Local\Temp\1000013051\nano.exe

Drops an executable to the user AppData folder (11 events)

file	C:\Users\test22\AppData\Local\Temp\1000012051\foto3553.exe
file	C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe
file	C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe
file	C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe
file	C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe
file	C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe
file	C:\Users\test22\AppData\Local\Temp\1000011051\rus.exe
file	C:\Users\test22\AppData\Local\Temp\1000013051\nano.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe
file	C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe

A process created a hidden window (22 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2676 thread_handle: 0x0000030c process_identifier: 2720 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2544 thread_handle: 0x00000318 process_identifier: 2052 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000314	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3100 thread_handle: 0x00000320 process_identifier: 3096 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000031c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3164 thread_handle: 0x00000328 process_identifier: 3160 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000324	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3276 thread_handle: 0x00000330 process_identifier: 3272 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000032c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3368 thread_handle: 0x00000338 process_identifier: 3364 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000334	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3448 thread_handle: 0x00000340 process_identifier: 3444 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000033c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3608 thread_handle: 0x00000348 process_identifier: 3604 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000344	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3740 thread_handle: 0x00000350 process_identifier: 3736 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000034c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3936 thread_handle: 0x00000358 process_identifier: 3932 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000354	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2652 thread_handle: 0x00000360 process_identifier: 2944 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000035c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3348 thread_handle: 0x00000368 process_identifier: 3356 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000364	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3544 thread_handle: 0x00000370 process_identifier: 3520 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000036c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3900 thread_handle: 0x00000378 process_identifier: 3856 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000374	1	1
ShellExecuteExW Oct. 6, 2023, 7:48 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe	1	1
ShellExecuteExW Oct. 6, 2023, 7:48 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 6, 2023, 7:48 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Oct. 6, 2023, 7:48 a.m.	show_type: 0 filepath_r: Powershell.exe parameters: -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000010041\1.ps1" filepath: Powershell.exe	1	1
ShellExecuteExW Oct. 6, 2023, 7:48 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000011051\rus.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000011051\rus.exe	1	1
ShellExecuteExW Oct. 6, 2023, 7:48 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000012051\foto3553.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000012051\foto3553.exe	1	1
ShellExecuteExW Oct. 6, 2023, 7:48 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000013051\nano.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000013051\nano.exe	1	1
ShellExecuteExW Oct. 6, 2023, 7:49 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 6, 2023, 7:48 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x03760000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process explothe.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢ÓÃÿÃÓÃÿÃÓÃÿÃ±üÂÝÃÿÃ±úÂxÃÿÃ±ûÂÅÃÿÃ¿ûÂÂÃÿÃ±þÂÚÃÿÃÓÃþÃ]ÃÿÃ¿úÂÃÿÃ¿üÂËÃÿÃ¿úÂÒÃÿÃ¿ýÂÒÃÿÃRichÓÃÿÃPEL>eà"ªBÀ@P@TãdÀPj 8²¸@àT.text¥¨ª `.rdatahÀ®@@.data¨Pl6@À.idataà¢@@.inter¸@À.tls J@À.00cfg°N@@.relocGÀP@BÌÌÌÌÌé[%éhKéßé¬¼éÙQéM2éÁeé´éî¶ é¼éngéÛé}é¦Íé'éÚiébTéÑÃ éNQ é7éÑé&Îé>ÄéG édé^éjé¤Õéé,éì»éYíéë>én,ééé3Äé´éûéBééYé>é$Íéßéué.¦éÓþéô&éBé©"ékáéZéÕé«éÏÆé']éa_éZ éoéaAé³øé1é3iégéKø é¥×é©ãéÄé>\éØ¼ éÏ6éÂâé?é¤Téw é6gé¬ÕéÑåéªé]éª°é\ é§éÔéµÞéËñéékWéËéWêéôKé~é:éCé·èézéÄéféLÆéléOµé¬é8TébÈé/éÞé%é:1éUs éé"Öé¿ü éÞé³iéÉéògéëé¾zéñéV éJé;}éKéZé%éµgéàEéL^éèé9'éÍBéCêé,ré é"éZ» éeÊé0oékzé¥D éÂZé3 ééãéðéSééVéüUéïIéúéé\éZ`éìéyh é¤éÿ=éÉªéïéÒ éIâé´éé÷éï[éHéçé/4 éhédéIñéÒéæéúlé×Hé±ëé%éÏèé0¦é é½éé¸ÈéÿXé/é éoé× éÐ éKhé·Qé¡véà%éâ¬é!é-éçÌé:éF¶éé3ëéw.é!é°oéÅé?éÌééL é¯¤éX é7qéÎ8éJ¿é©é'IéyÏéK!é Ö é`cé· éé pé{éé"3éÝ?é!éDêé)é7Vé#>é^zéxà é<éàéDÔ éG£éðoé°² é9#é>éfcéÇÃék5éòôév]éú<ééé¾é"[é»é¼kéfbé7réè¼ééíÕéSébKé2\é}év é`©éûéÍwéÅäéQéÿé2é¸.éÖRéÞ¤ é /é~éæéèQ éª¡éUéÃéÝé4ÉéòéáéVéséR@éØÀéCé}éÎëéý éóaéPÙé³éhé°éEÑé)éIgéÕ:é` é! éi%éaéÁ«é12éqJéîé¦âé¨eéEÞé9:éj´éê[é [ééÑ<ééäéÇéJ1éÌ9éN8éYémÈ é$ÐéÝ¹é(héqaé¶Íé}éõé±éð8ééñ¢étréGbéÅkéðWé¹féÒé.¤é~Wéñ- éÔíéÆ éÛxé é, éwdé'Zéläéäìéøé¢é±ÝéÆéí éI¿ é·¥é=ñéÕ¨éU¥éNéËbéé*éÞéqé-Ðé2¿éWÓéÁ/ééF+éÔåéßég^éWÐ éÝéqéñÛéué åé5(é¥éÁ+é¶Pé,ÊékéAYéÃéþÅéÒÀéµÇéò é¸éaé aéÙæ ép÷é,éFéWYéi é$réÓé©éöYéjé]é<é( é éÂ[é#é\|Îé"éU#é éÍ"édé¤é" éÏ%éév¥éâé\é£aé¶+é é×éÁéªCéæé[éÓÈé é¶éþ\|é§@éÍécéLéé»7é,ô éWfé{Üé}é¿ÖéZ«é^ éc¹é£5ék°éFépéOéÊïéÚé¶³éIâéæéöáééV3 éãéNéÁOéBé) éCxé¸Ûéeéäép/éáé`ééé¤8éPCé%oéFé%°éCféé¾Né«é\|é]"éé¡Wé×é}Aé>éD?é¸Véë¢ éé ø éJéxÁéÀ&éÙgéM'ééÚ é²éFTé,' én!é)ééêé"éUpéBÙééóOéÌéóåé«î é°@ éé1éhé³Cé[éÆç é«Ãé4Ìé=éÃé¿ éè`éåQé$Wé"KéÓé´é4kééé%9éAéüÕéy/ é@ éä éþ\|é'&é #éÌ9é»#éàké¯éâééðÜécÌé¿éÛòéÃ+éW¡éÉÈé®ñ éëØéTéé´é éêlé°Céyéðí éà©é êéæNé÷Ëéû éÞæ éYéRÖéöÔéCÅ é3 éxéé´é¹éÂéÚöéÈéTé;éÖ é·é»Géé{ßééJé"Ö é<âé8×éf¯ég`é?ÿéZ request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dê`j@ ¼%@Á ¢´À°ËT@ .textcd `.dataHh@À.idataR j@@.rsrcÐÀÌ\|@@.reloc H@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢ÓÃÿÃÓÃÿÃÓÃÿÃ±üÂÝÃÿÃ±úÂxÃÿÃ±ûÂÅÃÿÃ¿ûÂÂÃÿÃ±þÂÚÃÿÃÓÃþÃ]ÃÿÃ¿úÂÃÿÃ¿üÂËÃÿÃ¿úÂÒÃÿÃ¿ýÂÒÃÿÃRichÓÃÿÃPELð=eà"ªRÀ@`@TãdÐLj 8²¸@àT.text¥¨ª `.rdatapÀ®@@.data¨Pl6@À.idataà¢@@.inter¡¢¸@À.tls °Z@À.00cfgÀ^@@.reloc²Ð`@BÌÌÌÌÌé[%éhKéßé¬¼éÙQéM2éÁeé´éî¶ é¼éngéÛé}é¦Íé'éÚiébTéÑÃ éNQ é7éÑé&Îé>ÄéG édé^éjé¤Õéé,éì»éYíéë>én,ééé3Äé´éûéBééYé>é$Íéßéué.¦éÓþéô&éBé©"ékáéZéÕé«éÏÆé']éa_éZ éoéaAé³øé1é3iégéKø é¥×é©ãéÄé>\éØ¼ éÏ6éÂâé?é¤Téw é6gé¬ÕéÑåéªé]éª°é\ é§éÔéµÞéËñéékWéËéWêéôKé~é:éCé·èézéÄéféLÆéléOµé¬é8TébÈé/éÞé%é:1éUs éé"Öé¿ü éÞé³iéÉéògéëé¾zéñéV éJé;}éKéZé%éµgéàEéL^éèé9'éÍBéCêé,ré é"éZ» éeÊé0oékzé¥D éÂZé3 ééãéðéSééVéüUéïIéúéé\éZ`éìéyh é¤éÿ=éÉªéïéÒ éIâé´éé÷éï[éHéçé/4 éhédéIñéÒéæéúlé×Hé±ëé%éÏèé0¦é é½éé¸ÈéÿXé/é éoé× éÐ éKhé·Qé¡véà%éâ¬é!é-éçÌé:éF¶éé3ëéw.é!é°oéÅé?éÌééL é¯¤éX é7qéÎ8éJ¿é©é'IéyÏéK!é Ö é`cé· éé pé{éé"3éÝ?é!éDêé)é7Vé#>é^zéxà é<éàéDÔ éG£éðoé°² é9#é>éfcéÇÃék5éòôév]éú<ééé¾é"[é»é¼kéfbé7réè¼ééíÕéSébKé2\é}év é`©éûéÍwéÅäéQéÿé2é¸.éÖRéÞ¤ é /é~éæéèQ éª¡éUéÃéÝé4ÉéòéáéVéséR@éØÀéCé}éÎëéý éóaéPÙé³éhé°éEÑé)éIgéÕ:é` é! éi%éaéÁ«é12éqJéîé¦âé¨eéEÞé9:éj´éê[é [ééÑ<ééäéÇéJ1éÌ9éN8éYémÈ é$ÐéÝ¹é(héqaé¶Íé}éõé±éð8ééñ¢étréGbéÅkéðWé¹féÒé.¤é~Wéñ- éÔíéÆ éÛxé é, éwdé'Zéläéäìéøé¢é±ÝéÆéí éI¿ é·¥é=ñéÕ¨éU¥éNéËbéé*éÞéqé-Ðé2¿éWÓéÁ/ééF+éÔåéßég^éWÐ éÝéqéñÛéué åé5(é¥éÁ+é¶Pé,ÊékéAYéÃéþÅéÒÀéµÇéò é¸éaé aéÙæ ép÷é,éFéWYéi é$réÓé©éöYéjé]é<é( é éÂ[é#é\|Îé"éU#é éÍ"édé¤é" éÏ%éév¥éâé\é£aé¶+é é×éÁéªCéæé[éÓÈé é¶éþ\|é§@éÍécéLéé»7é,ô éWfé{Üé}é¿ÖéZ«é^ éc¹é£5ék°éFépéOéÊïéÚé¶³éIâéæéöáééV3 éãéNéÁOéBé) éCxé¸Ûéeéäép/éáé`ééé¤8éPCé%oéFé%°éCféé¾Né«é\|é]"éé¡Wé×é}Aé>éD?é¸Véë¢ éé ø éJéxÁéÀ&éÙgéM'ééÚ é²éFTé,' én!é)ééêé"éUpéBÙééóOéÌéóåé«î é°@ éé1éhé³Cé[éÆç é«Ãé4Ìé=éÃé¿ éè`éåQé$Wé"KéÓé´é4kééé%9éAéüÕéy/ é@ éä éþ\|é'&é #éÌ9é»#éàké¯éâééðÜécÌé¿éÛòéÃ+éW¡éÉÈé®ñ éëØéTéé´é éêlé°Céyéðí éà©é êéæNé÷Ëéû éÞæ éYéRÖéöÔéCÅ é3 éxéé´é¹éÂéÚöéÈéTé;éÖ é·é»Géé{ßééJé"Ö é<âé8×éf¯ég`é?ÿéZ request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL ïeà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0019c200', u'virtual_address': u'0x0000c000', u'entropy': 7.9799672940473325, u'name': u'.rsrc', u'virtual_size': u'0x0019d000'}

entropy

7.97996729405

description

A section with a high entropy has been found

entropy

0.980666270077

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 6, 2023, 7:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2023, 7:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2023, 7:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2023, 7:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2023, 7:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2023, 7:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2023, 7:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2023, 7:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 97 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Queries for potentially installed applications (50 out of 306 events)

Time & API	Arguments	Status
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: 7-Zip base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: AddressBook base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: Adobe AIR base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: Connection Manager base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: EditPlus base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: Fontcore base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: Google Chrome base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: IE40 base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: IE4Data base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: IEData base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: WIC base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Oct. 6, 2023, 7:47 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000488 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (24 events)

Time & API	Arguments	Status	Return
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4548 process_handle: 0x00000524		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4548 process_handle: 0x00000524	1	0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4612 process_handle: 0x00000524		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4612 process_handle: 0x00000524	1	0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 2644 process_handle: 0x00000138		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 2644 process_handle: 0x00000138		3221225738
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 3876 process_handle: 0x00000410		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 3876 process_handle: 0x00000410	1	0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 3232 process_handle: 0x00000410		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 3232 process_handle: 0x00000410	1	0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4988 process_handle: 0x00000530		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4988 process_handle: 0x00000530	1	0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4744 process_handle: 0x000002b4		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4744 process_handle: 0x000002b4	1	0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4800 process_handle: 0x000002b4		0
NtTerminateProcess Oct. 6, 2023, 7:48 a.m.	status_code: 0xffffffff process_identifier: 4800 process_handle: 0x000002b4	1	0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 5056 process_handle: 0x000004f4		0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 5056 process_handle: 0x000004f4	1	0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 5108 process_handle: 0x000004f4		0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 5108 process_handle: 0x000004f4	1	0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 4104 process_handle: 0x000004f4		0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 4104 process_handle: 0x000004f4	1	0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 4784 process_handle: 0x00000138		0
NtTerminateProcess Oct. 6, 2023, 7:49 a.m.	status_code: 0xffffffff process_identifier: 4784 process_handle: 0x00000138		3221225738

Uses Windows utilities for basic Windows functionality (23 events)

cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3556 CREDAT:145409
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2456 CREDAT:145409
cmdline	"C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\FCF4.tmp\FCF5.tmp\FCF6.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6gX51Dp.exe"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
cmdline	"C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\D54.tmp\D55.tmp\D66.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6RG67Gn.exe"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2456 CREDAT:79877
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (5 events)

host	117.18.232.200
host	5.42.92.211
host	77.91.124.1
host	77.91.124.55
host	77.91.68.52

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2384 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:48 a.m.	process_identifier: 2092 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:48 a.m.	process_identifier: 3504 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:48 a.m.	process_identifier: 3772 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:48 a.m.	process_identifier: 2544 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:48 a.m.	process_identifier: 4108 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:48 a.m.	process_identifier: 4348 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1
NtAllocateVirtualMemory Oct. 6, 2023, 7:49 a.m.	process_identifier: 4540 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Oct. 6, 2023, 7:48 a.m.	service_handle: 0x005ee9f0 service_name: WinDefend control_code: 1		0	0
ControlService Oct. 6, 2023, 7:48 a.m.	service_handle: 0x005ff230 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (29 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rus.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000011051\rus.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto3553.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000012051\foto3553.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nano.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000013051\nano.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP006.TMP\"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO"

Detects Avast Antivirus through the presence of a library (6 events)

Time & API	Arguments	Return
LdrGetDllHandle Oct. 6, 2023, 7:48 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Oct. 6, 2023, 7:48 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Oct. 6, 2023, 7:48 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Oct. 6, 2023, 7:48 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Oct. 6, 2023, 7:48 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Oct. 6, 2023, 7:48 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (25 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ ÿmYÿmYÿmYFnXÿmYFhXÿmYFiXÿmY1YÿmY1hX³ÿmY1iXÿmY1nXÿmYFlXÿmYÿlYÅÿmYdXÿmYYÿmYoXÿmYRichÿmYPEL¿Æeà$¬AÀ@@Ì(Pà`ä0p@À.textB«¬ `.rdata¤aÀb°@@.dataØ0 @À.rsrcàP@@.relocä`@B base_address: 0x00400000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þxÚA@6B@6B@6B@6B@6BH6BøÜAxÞA¸ÔA5B`0BC6B¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB6B¼BB¼BB¼BB¼BB¼BB¼BB¼BB..þÿÿÿ þÿÿÿuÿÿÿÿlB.?AVbad_exception@std@@lB.?AVexception@std@@lB.?AVtype_info@@ base_address: 0x00423000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: 0 H`P}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00425000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêMà0È¬æ @ à@8æSN©À H.textÆ È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2092 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: à6 base_address: 0x0043c000 process_identifier: 2092 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2092 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêMà0È¬æ @ à@8æSN©À H.textÆ È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 3504 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: à6 base_address: 0x0043c000 process_identifier: 3504 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3504 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3772 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3772 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 2544 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2544 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ ÿmYÿmYÿmYFnXÿmYFhXÿmYFiXÿmY1YÿmY1hX³ÿmY1iXÿmY1nXÿmYFlXÿmYÿlYÅÿmYdXÿmYYÿmYoXÿmYRichÿmYPEL¿Æeà$¬AÀ@@Ì(Pà`ä0p@À.textB«¬ `.rdata¤aÀb°@@.dataØ0 @À.rsrcàP@@.relocä`@B base_address: 0x00400000 process_identifier: 4108 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þxÚA@6B@6B@6B@6B@6BH6BøÜAxÞA¸ÔA5B`0BC6B¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB6B¼BB¼BB¼BB¼BB¼BB¼BB¼BB..þÿÿÿ þÿÿÿuÿÿÿÿlB.?AVbad_exception@std@@lB.?AVexception@std@@lB.?AVtype_info@@ base_address: 0x00423000 process_identifier: 4108 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: 0 H`P}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00425000 process_identifier: 4108 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 4108 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ ÿmYÿmYÿmYFnXÿmYFhXÿmYFiXÿmY1YÿmY1hX³ÿmY1iXÿmY1nXÿmYFlXÿmYÿlYÅÿmYdXÿmYYÿmYoXÿmYRichÿmYPEL¿Æeà$¬AÀ@@Ì(Pà`ä0p@À.textB«¬ `.rdata¤aÀb°@@.dataØ0 @À.rsrcàP@@.relocä`@B base_address: 0x00400000 process_identifier: 4348 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þxÚA@6B@6B@6B@6B@6BH6BøÜAxÞA¸ÔA5B`0BC6B¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB6B¼BB¼BB¼BB¼BB¼BB¼BB¼BB..þÿÿÿ þÿÿÿuÿÿÿÿlB.?AVbad_exception@std@@lB.?AVexception@std@@lB.?AVtype_info@@ base_address: 0x00423000 process_identifier: 4348 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: 0 H`P}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00425000 process_identifier: 4348 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 4348 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:49 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêMà0È¬æ @ à@8æSN©À H.textÆ È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 4540 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:49 a.m.	buffer: à6 base_address: 0x0043c000 process_identifier: 4540 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:49 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 4540 process_handle: 0x00000128	1	1

Code injection by writing an executable or DLL to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ ÿmYÿmYÿmYFnXÿmYFhXÿmYFiXÿmY1YÿmY1hX³ÿmY1iXÿmY1nXÿmYFlXÿmYÿlYÅÿmYdXÿmYYÿmYoXÿmYRichÿmYPEL¿Æeà$¬AÀ@@Ì(Pà`ä0p@À.textB«¬ `.rdata¤aÀb°@@.dataØ0 @À.rsrcàP@@.relocä`@B base_address: 0x00400000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêMà0È¬æ @ à@8æSN©À H.textÆ È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2092 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêMà0È¬æ @ à@8æSN©À H.textÆ È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 3504 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3772 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 2544 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ ÿmYÿmYÿmYFnXÿmYFhXÿmYFiXÿmY1YÿmY1hX³ÿmY1iXÿmY1nXÿmYFlXÿmYÿlYÅÿmYdXÿmYYÿmYoXÿmYRichÿmYPEL¿Æeà$¬AÀ@@Ì(Pà`ä0p@À.textB«¬ `.rdata¤aÀb°@@.dataØ0 @À.rsrcàP@@.relocä`@B base_address: 0x00400000 process_identifier: 4108 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ ÿmYÿmYÿmYFnXÿmYFhXÿmYFiXÿmY1YÿmY1hX³ÿmY1iXÿmY1nXÿmYFlXÿmYÿlYÅÿmYdXÿmYYÿmYoXÿmYRichÿmYPEL¿Æeà$¬AÀ@@Ì(Pà`ä0p@À.textB«¬ `.rdata¤aÀb°@@.dataØ0 @À.rsrcàP@@.relocä`@B base_address: 0x00400000 process_identifier: 4348 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:49 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêMà0È¬æ @ à@8æSN©À H.textÆ È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 4540 process_handle: 0x00000128	1	1

Collects information about installed applications (50 out of 228 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:47 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Oct. 6, 2023, 7:48 a.m.	key_handle: 0x000005f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	AppLaunch.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
process	explothe.exe	useragent
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2336 called NtSetContextThread to modify thread in remote process 2384
Process injection	Process 3068 called NtSetContextThread to modify thread in remote process 2092
Process injection	Process 3096 called NtSetContextThread to modify thread in remote process 3504
Process injection	Process 2944 called NtSetContextThread to modify thread in remote process 3772
Process injection	Process 3480 called NtSetContextThread to modify thread in remote process 2544
Process injection	Process 2480 called NtSetContextThread to modify thread in remote process 4108
Process injection	Process 4148 called NtSetContextThread to modify thread in remote process 4348
Process injection	Process 4480 called NtSetContextThread to modify thread in remote process 4540
NtSetContextThread Oct. 6, 2023, 7:47 a.m.	registers.eip: 2005598660 registers.esp: 1767696 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2384	1	0	0
NtSetContextThread Oct. 6, 2023, 7:48 a.m.	registers.eip: 2005598660 registers.esp: 3407380 registers.edi: 0 registers.eax: 4384398 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2092	1	0	0
NtSetContextThread Oct. 6, 2023, 7:48 a.m.	registers.eip: 2005598660 registers.esp: 2882392 registers.edi: 0 registers.eax: 4384398 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 3504	1	0	0
NtSetContextThread Oct. 6, 2023, 7:48 a.m.	registers.eip: 2005598660 registers.esp: 4062080 registers.edi: 0 registers.eax: 4207172 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 3772	1	0	0
NtSetContextThread Oct. 6, 2023, 7:48 a.m.	registers.eip: 2005598660 registers.esp: 3275320 registers.edi: 0 registers.eax: 4207172 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2544	1	0	0
NtSetContextThread Oct. 6, 2023, 7:48 a.m.	registers.eip: 2005598660 registers.esp: 1703620 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 4108	1	0	0
NtSetContextThread Oct. 6, 2023, 7:48 a.m.	registers.eip: 2005598660 registers.esp: 3668852 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 4348	1	0	0
NtSetContextThread Oct. 6, 2023, 7:49 a.m.	registers.eip: 2005598660 registers.esp: 3602964 registers.edi: 0 registers.eax: 4384398 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 4540	1	0	0

One or more non-whitelisted processes were created (10 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef26c6e00,0x7fef26c6e10,0x7fef26c6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef25c6e00,0x7fef25c6e10,0x7fef25c6e20
parent_process	powershell.exe	martian_process	iexplore https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	Chrome https://accounts.google.com/
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef25c6e00,0x7fef25c6e10,0x7fef25c6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x134,0x138,0x13c,0x108,0x140,0x7fef25c6e00,0x7fef25c6e10,0x7fef25c6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,5928558130391121555,9682862809381390200,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1068 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef26c6e00,0x7fef26c6e10,0x7fef26c6e20

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (26 events)

Time & API	Arguments	Status	Return
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 6, 2023, 7:48 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (36 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2336 resumed a thread in remote process 2384
Process injection	Process 3068 resumed a thread in remote process 2092
Process injection	Process 2456 resumed a thread in remote process 536
Process injection	Process 2456 resumed a thread in remote process 4924
Process injection	Process 3096 resumed a thread in remote process 3504
Process injection	Process 3556 resumed a thread in remote process 4008
Process injection	Process 2944 resumed a thread in remote process 3772
Process injection	Process 3480 resumed a thread in remote process 2544
Process injection	Process 2480 resumed a thread in remote process 4108
Process injection	Process 4148 resumed a thread in remote process 4348
Process injection	Process 5108 resumed a thread in remote process 5056
Process injection	Process 4480 resumed a thread in remote process 4540
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2384	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2092	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 536	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000074c suspend_count: 1 process_identifier: 4924	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 3504	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 4008	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 3772	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2544	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 4108	1	0	0
NtResumeThread Oct. 6, 2023, 7:48 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 4348	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x0000000000000190 suspend_count: 2 process_identifier: 5056	1	0	0
NtResumeThread Oct. 6, 2023, 7:49 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 4540	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\fefffe8cea" /P "test22:N"
cmdline	CACLS "..\fefffe8cea" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	CACLS "explothe.exe" /P "test22:N"
cmdline	CACLS "explothe.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 351 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 6, 2023, 7:47 a.m.	thread_identifier: 2116 thread_handle: 0x0000001c process_identifier: 2112 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\LN8mW9ty.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2432 thread_handle: 0x00000128 process_identifier: 2428 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6RG67Gn.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:47 a.m.	thread_identifier: 2160 thread_handle: 0x0000001c process_identifier: 2156 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xi2IL2aC.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2040 thread_handle: 0x00000128 process_identifier: 2200 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5Kh12Tz.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:47 a.m.	thread_identifier: 2244 thread_handle: 0x0000001c process_identifier: 2240 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\mI5WY8ei.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 724 thread_handle: 0x00000128 process_identifier: 3068 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4uV842oz.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:47 a.m.	thread_identifier: 2296 thread_handle: 0x0000001c process_identifier: 2292 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\AY2yg0ZK.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3028 thread_handle: 0x00000128 process_identifier: 3024 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zc6jy08.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:47 a.m.	thread_identifier: 2340 thread_handle: 0x0000001c process_identifier: 2336 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1af13hO1.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 6, 2023, 7:47 a.m.	thread_identifier: 2448 thread_handle: 0x00000128 process_identifier: 2444 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2UP350IV.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:47 a.m.	thread_identifier: 2388 thread_handle: 0x00000124 process_identifier: 2384 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000128	1	1
NtGetContextThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000124	1	0
NtAllocateVirtualMemory Oct. 6, 2023, 7:47 a.m.	process_identifier: 2384 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ ÿmYÿmYÿmYFnXÿmYFhXÿmYFiXÿmY1YÿmY1hX³ÿmY1iXÿmY1nXÿmYFlXÿmYÿlYÅÿmYdXÿmYYÿmYoXÿmYRichÿmYPEL¿Æeà$¬AÀ@@Ì(Pà`ä0p@À.textB«¬ `.rdata¤aÀb°@@.dataØ0 @À.rsrcàP@@.relocä`@B base_address: 0x00400000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: base_address: 0x00401000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: base_address: 0x0041c000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þxÚA@6B@6B@6B@6B@6BH6BøÜAxÞA¸ÔA5B`0BC6B¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB¸BB6B¼BB¼BB¼BB¼BB¼BB¼BB¼BB..þÿÿÿ þÿÿÿuÿÿÿÿlB.?AVbad_exception@std@@lB.?AVexception@std@@lB.?AVtype_info@@ base_address: 0x00423000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: 0 H`P}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00425000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: base_address: 0x00426000 process_identifier: 2384 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 6, 2023, 7:47 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2384 process_handle: 0x00000128	1	1
NtSetContextThread Oct. 6, 2023, 7:47 a.m.	registers.eip: 2005598660 registers.esp: 1767696 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2384	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2384	1	0
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2676 thread_handle: 0x0000030c process_identifier: 2720 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2544 thread_handle: 0x00000318 process_identifier: 2052 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\GiE6UzXAHqzzY1B.exe" /tn "\WindowsAppPool\GiE6UzXAHqzzY1B" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000314	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3100 thread_handle: 0x00000320 process_identifier: 3096 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000031c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3164 thread_handle: 0x00000328 process_identifier: 3160 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\J9gHKT9nvgbi3o1.exe" /tn "\WindowsAppPool\J9gHKT9nvgbi3o1" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000324	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3276 thread_handle: 0x00000330 process_identifier: 3272 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000032c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3368 thread_handle: 0x00000338 process_identifier: 3364 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\NvoO7emaO6N0CgX.exe" /tn "\WindowsAppPool\NvoO7emaO6N0CgX" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000334	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3448 thread_handle: 0x00000340 process_identifier: 3444 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000033c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3608 thread_handle: 0x00000348 process_identifier: 3604 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\QR1quzyXCWpIaCo.exe" /tn "\WindowsAppPool\QR1quzyXCWpIaCo" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000344	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3740 thread_handle: 0x00000350 process_identifier: 3736 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000034c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3936 thread_handle: 0x00000358 process_identifier: 3932 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\TID1kUKJVi1qfvO.exe" /tn "\WindowsAppPool\TID1kUKJVi1qfvO" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000354	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 2652 thread_handle: 0x00000360 process_identifier: 2944 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000035c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3348 thread_handle: 0x00000368 process_identifier: 3356 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\W4LCHeXwJ8D8ORK.exe" /tn "\WindowsAppPool\W4LCHeXwJ8D8ORK" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000364	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3544 thread_handle: 0x00000370 process_identifier: 3520 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000036c	1	1
CreateProcessInternalW Oct. 6, 2023, 7:48 a.m.	thread_identifier: 3900 thread_handle: 0x00000378 process_identifier: 3856 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\0rnK339j3YfQnJa.exe" /tn "\WindowsAppPool\0rnK339j3YfQnJa" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000374	1	1
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000194	1	0
NtGetContextThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000194	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000428 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x0000045c suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000474 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2023, 7:47 a.m.	thread_handle: 0x00000488 suspend_count: 1 process_identifier: 2444	1	0

The process powershell.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Program Files (x86)\Internet Explorer\iexplore.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

foto3553.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All