Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 24, 2023, 7:41 a.m.	Oct. 24, 2023, 7:46 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5e967436bbe28a1b2b6d4016ae7b5024`
SHA256	`e116b0b281886d36feae370bbc2d68df95a5bf310165aea04856071549368097`
CRC32	`1B965FE0`
ssdeep	`24576:Ey67BUsP0XjwxvMK0C3jmps9WpTupsNS4bSZGU/DIAK8wd0Zl1UnsaJIYlgZOi:To2k0I5KfKZPZh8UbYC/`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

foto2552.exe "C:\Users\test22\AppData\Local\Temp\foto2552.exe"
2564
- nE9jV7Eq.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nE9jV7Eq.exe
  2616
  - Kf6rx9FU.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Kf6rx9FU.exe
    2684
    - Hb5kl7yL.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\Hb5kl7yL.exe
      2748
      - vk3Ra4EA.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\vk3Ra4EA.exe
        2792
        
        1xY48zQ2.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1xY48zQ2.exe
        2836
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2892
        
        2Fu909uk.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2Fu909uk.exe
        2952
      - 3OE9Sl07.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3OE9Sl07.exe
        2260
    - 4fy651MS.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4fy651MS.exe
      2464
      - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2592
  - 5kK61Wm.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5kK61Wm.exe
    2780
    - explothe.exe "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe"
      2856
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        204
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
        1512
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        1356
        
        cacls.exe CACLS "explothe.exe" /P "test22:N"
        2404
        
        cacls.exe CACLS "explothe.exe" /P "test22:R" /E
        1668
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2056
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:N"
        2252
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:R" /E
        2472
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        1536
- 6PI22HQ.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe
  2940
  - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp\492B.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe"
    3068
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2580
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2580 CREDAT:145409
        2644
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2580 CREDAT:79875
        2368

Name	Response	Post-Analysis Lookup
accounts.google.com	A 142.251.220.45	142.250.206.205
fonts.gstatic.com	A 142.250.66.67	142.250.207.99
ssl.gstatic.com	A 172.217.24.227	142.250.206.227
www.google.com	A 172.217.27.36	142.250.76.132
fonts.googleapis.com	A 172.217.31.10	172.217.161.234
www.youtube.com	A 142.251.222.206 A 142.250.66.46 A 142.251.220.78 A 216.58.203.78 A 142.251.220.110 A 142.250.66.142 A 216.58.200.238 A 142.251.130.14 A 142.251.220.14 A 142.251.220.46 A 142.250.207.78 A 172.217.24.110 A 172.217.24.78 A 142.250.66.110 CNAME youtube-ui.l.google.com A 142.250.204.142 A 142.250.66.78	142.251.222.14
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.31.35

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.66.67	Active	Moloch
142.251.220.45	Active	Moloch
142.251.220.78	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.227	Active	Moloch
172.217.27.36	Active	Moloch
172.217.31.10	Active	Moloch
193.233.255.73	Active	Moloch
77.91.124.1	Active	Moloch
77.91.124.86	Active	Moloch
51.68.143.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.101:49171	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49170 -> 193.233.255.73:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49170 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49192 -> 77.91.124.1:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49192 -> 77.91.124.1:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49197 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 172.217.31.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 142.250.66.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 142.251.220.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 142.250.66.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 142.251.220.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 172.217.27.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 172.217.27.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 142.250.66.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49228 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 77.91.124.1:80 -> 192.168.56.101:49228	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.124.1:80 -> 192.168.56.101:49228	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.124.1:80 -> 192.168.56.101:49228	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49208 -> 172.217.31.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49197 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:be:42:29:56:06:ae:17:e2:b1:7f:0c:c6:30:b2:0d:71:3e:b5:d5
TLSv1 192.168.56.101:49196 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:be:42:29:56:06:ae:17:e2:b1:7f:0c:c6:30:b2:0d:71:3e:b5:d5
TLSv1 192.168.56.101:49202 172.217.31.10:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	28:23:2b:8b:2d:09:6c:bb:06:7a:35:80:95:bb:f8:03:41:c8:99:2c
TLSv1 192.168.56.101:49213 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	55:7f:79:64:ed:7a:04:50:63:54:9c:32:2a:af:b7:95:17:d7:e0:33
TLSv1 192.168.56.101:49212 142.251.220.78:443	None	None	None
TLSv1 192.168.56.101:49199 142.251.220.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	c9:4d:78:ad:ec:04:27:ee:f0:06:4c:c8:78:d8:9f:06:b5:cc:39:37
TLSv1 192.168.56.101:49200 142.251.220.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	c9:4d:78:ad:ec:04:27:ee:f0:06:4c:c8:78:d8:9f:06:b5:cc:39:37
TLSv1 192.168.56.101:49220 142.251.220.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	c3:ef:cc:c7:6c:fd:21:e8:b0:08:50:37:0f:ac:b1:dd:ab:1d:1e:ff
TLSv1 192.168.56.101:49215 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	55:7f:79:64:ed:7a:04:50:63:54:9c:32:2a:af:b7:95:17:d7:e0:33
TLSv1 192.168.56.101:49222 142.251.220.78:443	None	None	None
TLSv1 192.168.56.101:49219 142.251.220.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	c3:ef:cc:c7:6c:fd:21:e8:b0:08:50:37:0f:ac:b1:dd:ab:1d:1e:ff
TLSv1 192.168.56.101:49211 142.251.220.78:443	None	None	None
TLSv1 192.168.56.101:49225 172.217.27.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	3d:4a:6b:fd:30:97:01:e9:c1:38:5f:67:2b:a6:a3:43:7b:2e:72:45
TLSv1 192.168.56.101:49226 172.217.27.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	3d:4a:6b:fd:30:97:01:e9:c1:38:5f:67:2b:a6:a3:43:7b:2e:72:45
TLSv1 192.168.56.101:49214 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	55:7f:79:64:ed:7a:04:50:63:54:9c:32:2a:af:b7:95:17:d7:e0:33
TLSv1 192.168.56.101:49210 142.251.220.78:443	None	None	None
TLSv1 192.168.56.101:49223 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	55:7f:79:64:ed:7a:04:50:63:54:9c:32:2a:af:b7:95:17:d7:e0:33
TLSv1 192.168.56.101:49208 172.217.31.10:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	28:23:2b:8b:2d:09:6c:bb:06:7a:35:80:95:bb:f8:03:41:c8:99:2c
TLSv1 192.168.56.101:49224 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	55:7f:79:64:ed:7a:04:50:63:54:9c:32:2a:af:b7:95:17:d7:e0:33

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 24, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Oct. 24, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Oct. 24, 2023, 7:42 a.m.			0	0
IsDebuggerPresent Oct. 24, 2023, 7:42 a.m.			0	0
IsDebuggerPresent Oct. 24, 2023, 7:43 a.m.			0	0

Command line console output was observed (50 out of 88 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: SUCCESS: The scheduled task "explothe.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: "" https://www.facebook.com/login console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: "" https://www.youtube.com console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: "" https://accounts.google.com console_handle: 0x0000000000000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 24, 2023, 7:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 24, 2023, 7:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (17 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005784f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005784f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005783f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005783f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005783f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005783f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005783f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 24, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 24, 2023, 7:41 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (28 events)

Time & API	Arguments	Status
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x8687f5 0x8685c6 0x866cad 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x868930 registers.esp: 4713220 registers.edi: 4713272 registers.eax: 0 registers.ebp: 4713284 registers.edx: 5612112 registers.ebx: 4714492 registers.esi: 44280256 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51156ae 0x5115571 0x511548d 0x5113b93 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711572 registers.edi: 4711820 registers.eax: 0 registers.ebp: 4711832 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 44875632 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x5115ac0 0x5115571 0x511548d 0x5113b93 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711808 registers.edi: 4712092 registers.eax: 0 registers.ebp: 4711816 registers.edx: 0 registers.ebx: 4714492 registers.esi: 44875632 registers.ecx: 46125244	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51156ae 0x5115571 0x51154a5 0x5113b93 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711572 registers.edi: 4711820 registers.eax: 0 registers.ebp: 4711832 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 44875632 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x5115ac0 0x5115571 0x51154a5 0x5113b93 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711808 registers.edi: 4712092 registers.eax: 0 registers.ebp: 4711816 registers.edx: 0 registers.ebx: 4714492 registers.esi: 44875632 registers.ecx: 47557116	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51156ae 0x5115571 0x51154a5 0x5113b93 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711572 registers.edi: 4711820 registers.eax: 0 registers.ebp: 4711832 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 44875632 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x5115ac0 0x5115571 0x51154a5 0x5113b93 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711808 registers.edi: 4712092 registers.eax: 0 registers.ebp: 4711816 registers.edx: 0 registers.ebx: 4714492 registers.esi: 44875632 registers.ecx: 45160572	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x5119cfd 0x5119bd0 0x511548d 0x511430a 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711532 registers.edi: 4711780 registers.eax: 0 registers.ebp: 4711792 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511a17e 0x5119bd0 0x511548d 0x511430a 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711768 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711776 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 46733216	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x5119cfd 0x5119bd0 0x51154a5 0x511430a 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711532 registers.edi: 4711780 registers.eax: 0 registers.ebp: 4711792 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511a17e 0x5119bd0 0x51154a5 0x511430a 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711768 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711776 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 48112556	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x5119cfd 0x5119bd0 0x51154a5 0x511430a 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711532 registers.edi: 4711780 registers.eax: 0 registers.ebp: 4711792 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511a17e 0x5119bd0 0x51154a5 0x511430a 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711768 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711776 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 49463856	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x511a44c 0x511a300 0x511548d 0x511440c 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711596 registers.edi: 4711844 registers.eax: 0 registers.ebp: 4711856 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511a722 0x511a300 0x511548d 0x511440c 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711832 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711840 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43925720 registers.ecx: 44554244	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x511a44c 0x511a300 0x51154a5 0x511440c 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711596 registers.edi: 4711844 registers.eax: 0 registers.ebp: 4711856 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511a722 0x511a300 0x51154a5 0x511440c 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711832 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711840 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 46048900	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x511a44c 0x511a300 0x51154a5 0x511440c 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711596 registers.edi: 4711844 registers.eax: 0 registers.ebp: 4711856 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511a722 0x511a300 0x51154a5 0x511440c 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711832 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711840 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 47543556	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x511aa95 0x511a970 0x511548d 0x51144f9 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711616 registers.edi: 4711864 registers.eax: 0 registers.ebp: 4711876 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511ad4a 0x511a970 0x511548d 0x51144f9 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711852 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711860 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 44967524	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x511aa95 0x511a970 0x51154a5 0x51144f9 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711616 registers.edi: 4711864 registers.eax: 0 registers.ebp: 4711876 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511ad4a 0x511a970 0x51154a5 0x51144f9 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711852 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711860 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 46464560	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x511aa95 0x511a970 0x51154a5 0x51144f9 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 8c 3b 08 05 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5115f9c registers.esp: 4711616 registers.edi: 4711864 registers.eax: 0 registers.ebp: 4711876 registers.edx: 84425244 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 0	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511ad4a 0x511a970 0x51154a5 0x51144f9 0x5112e56 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4711852 registers.edi: 4712108 registers.eax: 0 registers.ebp: 4711860 registers.edx: 0 registers.ebx: 4714492 registers.esi: 43914464 registers.ecx: 47961596	1
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x51198c8 0x511bd1f 0x511b4f1 0x5112e84 0x86c7af 0x866d75 0x866886 0x8634ab 0x862f10 0x862ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72592652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x725a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x725a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x726574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72657610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x726e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x726e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x726e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x726e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72c6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72df7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72df4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511990b registers.esp: 4712736 registers.edi: 4713016 registers.eax: 0 registers.ebp: 4712744 registers.edx: 0 registers.ebx: 4714492 registers.esi: 48501436 registers.ecx: 48508520	1
__exception__ Oct. 24, 2023, 7:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 115602272 registers.edi: 97166036 registers.eax: 115602272 registers.ebp: 115602352 registers.edx: 1 registers.ebx: 115602636 registers.esi: 2147746133 registers.ecx: 97174776	1
__exception__ Oct. 24, 2023, 7:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x70a4540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x70a452ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x70b20ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 79682720 registers.edi: 1953561104 registers.eax: 79682720 registers.ebp: 79682800 registers.edx: 1 registers.ebx: 96745780 registers.esi: 2147746133 registers.ecx: 444363155	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.233.255.73/loghub/master
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.124.1/theme/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/clip64.dll

Performs some HTTP requests (28 events)

request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php
request	GET http://77.91.124.1/theme/Plugins/cred64.dll
request	GET http://77.91.124.1/theme/Plugins/clip64.dll
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://www.youtube.com/
request	GET https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
request	GET https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
request	GET https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
request	GET https://fonts.googleapis.com/css?family=YouTube+Sans:500
request	GET https://fonts.googleapis.com/css?family=Roboto:400,500
request	GET https://www.youtube.com/img/desktop/supported_browsers/chrome.png
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyz5YVxzRBWdpyuUtppgdvRy2Tw194Av0LWqrv008iX9c7bZnoHLo250QAw7Iz6oyudGemXR1A
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxQBLRrENNzDGU7Qlkoss48yKJ12ueLob1lnUSvITk9Wdk0c8W1-KA6F38Oypk5hTx5sGjsKg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S470064247%3A1698101077522125
request	GET https://www.youtube.com/img/desktop/supported_browsers/edgium.png
request	GET https://www.youtube.com/img/desktop/supported_browsers/opera.png
request	GET https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
request	GET https://www.youtube.com/img/desktop/supported_browsers/firefox.png
request	GET https://www.youtube.com/favicon.ico
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?6-E0fA
request	GET https://www.google.com/favicon.ico

Sends data using the HTTP POST Method (2 events)

request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 781 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7257b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72591000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72592000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x714ea000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fcb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73741000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc9f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f8b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d2eb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00863000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00864000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00865000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explothe.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (10 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3252663 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3252663 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3252255 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3252255 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3251850 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3251850 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3251152 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3251152 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3250936 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 24, 2023, 7:41 a.m.	number_of_free_clusters: 3250936 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2580 crashed
__exception__ Oct. 24, 2023, 7:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 115602272 registers.edi: 97166036 registers.eax: 115602272 registers.ebp: 115602352 registers.edx: 1 registers.ebx: 115602636 registers.esi: 2147746133 registers.ecx: 97174776	1	0	0
__exception__ Oct. 24, 2023, 7:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x70a4540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x70a452ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x70b20ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 79682720 registers.edi: 1953561104 registers.eax: 79682720 registers.ebp: 79682800 registers.edx: 1 registers.ebx: 96745780 registers.esi: 2147746133 registers.ecx: 444363155	1	0	0

Application Crash

Process iexplore.exe with pid 2580 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 24, 2023, 7:43 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 115602272
registers.edi: 97166036
registers.eax: 115602272
registers.ebp: 115602352
registers.edx: 1
registers.ebx: 115602636
registers.esi: 2147746133
registers.ecx: 97174776

__exception__

Oct. 24, 2023, 7:43 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x70a4540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x70a452ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x70b20ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 79682720
registers.edi: 1953561104
registers.eax: 79682720
registers.ebp: 79682800
registers.edx: 1
registers.ebx: 96745780
registers.esi: 2147746133
registers.ecx: 444363155

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (13 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4fy651MS.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp\492B.bat
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\vk3Ra4EA.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2Fu909uk.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1xY48zQ2.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nE9jV7Eq.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Kf6rx9FU.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\Hb5kl7yL.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3OE9Sl07.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5kK61Wm.exe

Creates a suspicious process (5 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp\492B.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 24, 2023, 7:42 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe	1	1
ShellExecuteExW Oct. 24, 2023, 7:42 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 24, 2023, 7:42 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Oct. 24, 2023, 7:43 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Oct. 24, 2023, 7:42 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp\492B.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe" filepath: C:\Windows\sysnative\cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05090000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process explothe.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 24, 2023, 7:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL ïeà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001a6400', u'virtual_address': u'0x0000c000', u'entropy': 7.98067129483033, u'name': u'.rsrc', u'virtual_size': u'0x001a7000'}

entropy

7.98067129483

description

A section with a high entropy has been found

entropy

0.981121115306

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 24, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (44 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000043c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: AddressBook base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: Connection Manager base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: DirectDrawEx base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: EditPlus base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: ENTERPRISE base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: Fontcore base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: Google Chrome base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: IE40 base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: IE4Data base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: IE5BAKEX base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: IEData base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: MobileOptionPack base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: SchedulingAgent base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: WIC base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Oct. 24, 2023, 7:42 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x0000043c key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp\492B.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2580 CREDAT:145409
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp\492B.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2580 CREDAT:79875
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (5 events)

host	117.18.232.200
host	193.233.255.73
host	77.91.124.1
host	77.91.124.86
host	51.68.143.81

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2892 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2592 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Deletes executed files from disk (3 events)

file	C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp\492B.bat
file	C:\Users\test22\AppData\Local\Temp\491A.tmp
file	C:\Users\test22\AppData\Local\Temp\491A.tmp\492A.tmp

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (7 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÖT5eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶BHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇB¶BLÇBLÇBLÇBLÇBLÇBLÇBLÇB..þÿÿÿ þÿÿÿuÐù¾cyåú¦eÍiLÅ?þDVÐü!Êû×6}¼$ÁªaÐº;ëZèy©Ä@éã¶úæô;;¥¹Ò3[ 1à©ÜÞÙ#,ss3WILÈ½y+ qPøkú¢¼ÇmµúÂÆâs5}àO£tdïôfGj}É¬:ø÷¹â&÷c&ÀÇ@zÞcÅgÓÑëGïNn3g\|ÔZØ²¤G> b&}LºFwXÍ\|[x¦D@q#4m$>äÂö>/ö8Iå¸7ÐGñD¨íòDñ¥Ñ&\qÀÒJ²Z $\ÒVi×´v8·´Æ&Àÿ>Ì<[ÏlEfMdý\|îoK¡JnÜnÔÏ¯ ïµÃFòÜxAayÛOw(ì³Ö-ÆÆõA5«V¥0½REAãýñbG-¨¦¥ [Êþdã0[okûhn¤ÛB±±!S^¥4\Áéj8ªJÛ®!2É)C¨ñgÕ{@ÜMZ¶ß?þ÷}M¯,ëïõ Û³OS÷=B9Àc\#Ã\9§ 0b;(Ïÿ©(ÎZï¨ðóe^4>ØxúI"WÂB°%/í¯¼áy?Ó( ÖüMÝð·7¢L{éü=·Ë¡gÇmPvl\|Sâ DÄêq¯où¾Ì !sì©M7<wòÂ,-<L1Ò ¿ü/wÌð¹DPÐò°=þoÊÐðÒ¶eÆzoaªd>aùr)0Þ sÉzdÎD8@¸Þ¿åK@X¥³jj&å"ª¯L¤E©ÊæpÏ_éKr¢OÝTmªÛªuZE)J2^D{ðR¤%£§õ¼wX"Æ®ë"~"ê<äPu¶ç5G}¹~ó³Pr<LÌu ítuuDæÔúäfÂî4Ñ@#j-ÂÒ£ÑÉºgÍZê·í2>[Ììgu½CPHçëhºö-áN($q$ãeË°þm*âk3²Jd¼I?Ó#J0ÊDêQâZb&'Ô ¦g¡Æ^_/\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî¯¦éà0È¬®ç @ à@TçWN©À H.text´Ç È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: à°7 base_address: 0x0043c000 process_identifier: 2592 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2592 process_handle: 0x00000128	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÖT5eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 2892 process_handle: 0x00000128	1	1	0
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî¯¦éà0È¬®ç @ à@TçWN©À H.text´Ç È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000128	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Oct. 24, 2023, 7:42 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Network activity contains more than one unique useragent (3 events)

process	AppLaunch.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
process	explothe.exe	useragent
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2836 called NtSetContextThread to modify thread in remote process 2892
Process injection	Process 2464 called NtSetContextThread to modify thread in remote process 2592
NtSetContextThread Oct. 24, 2023, 7:41 a.m.	registers.eip: 1995571652 registers.esp: 2948336 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2892	1	0	0
NtSetContextThread Oct. 24, 2023, 7:42 a.m.	registers.eip: 1995571652 registers.esp: 5765584 registers.edi: 0 registers.eax: 4384686 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2592	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (13 events)

Time & API	Arguments	Status	Return
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 24, 2023, 7:42 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2836 resumed a thread in remote process 2892
Process injection	Process 2464 resumed a thread in remote process 2592
Process injection	Process 2940 resumed a thread in remote process 3068
Process injection	Process 2580 resumed a thread in remote process 2644
Process injection	Process 2580 resumed a thread in remote process 2368
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2892	1	0	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2592	1	0	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 3068	1	0	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2644	1	0	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000564 suspend_count: 1 process_identifier: 2368	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\fefffe8cea" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	CACLS "explothe.exe" /P "test22:N"
cmdline	CACLS "..\fefffe8cea" /P "test22:N"
cmdline	CACLS "explothe.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit

Executed a process and injected code into it, probably while unpacking (50 out of 92 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 24, 2023, 7:41 a.m.	thread_identifier: 2620 thread_handle: 0x0000001c process_identifier: 2616 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nE9jV7Eq.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Oct. 24, 2023, 7:42 a.m.	thread_identifier: 2932 thread_handle: 0x00000124 process_identifier: 2940 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PI22HQ.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 24, 2023, 7:41 a.m.	thread_identifier: 2688 thread_handle: 0x0000001c process_identifier: 2684 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Kf6rx9FU.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Oct. 24, 2023, 7:42 a.m.	thread_identifier: 2776 thread_handle: 0x00000124 process_identifier: 2780 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5kK61Wm.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 24, 2023, 7:41 a.m.	thread_identifier: 2752 thread_handle: 0x0000001c process_identifier: 2748 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\Hb5kl7yL.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Oct. 24, 2023, 7:42 a.m.	thread_identifier: 2508 thread_handle: 0x00000124 process_identifier: 2464 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4fy651MS.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 24, 2023, 7:41 a.m.	thread_identifier: 2796 thread_handle: 0x0000001c process_identifier: 2792 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\vk3Ra4EA.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Oct. 24, 2023, 7:42 a.m.	thread_identifier: 2240 thread_handle: 0x00000124 process_identifier: 2260 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3OE9Sl07.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 24, 2023, 7:41 a.m.	thread_identifier: 2840 thread_handle: 0x0000001c process_identifier: 2836 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1xY48zQ2.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Oct. 24, 2023, 7:41 a.m.	thread_identifier: 2956 thread_handle: 0x00000124 process_identifier: 2952 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2Fu909uk.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 24, 2023, 7:41 a.m.	thread_identifier: 2896 thread_handle: 0x00000124 process_identifier: 2892 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000128	1	1
NtGetContextThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000124	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2892 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÖT5eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: base_address: 0x00401000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: base_address: 0x00424000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶BHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇB¶BLÇBLÇBLÇBLÇBLÇBLÇBLÇB..þÿÿÿ þÿÿÿuÐù¾cyåú¦eÍiLÅ?þDVÐü!Êû×6}¼$ÁªaÐº;ëZèy©Ä@éã¶úæô;;¥¹Ò3[ 1à©ÜÞÙ#,ss3WILÈ½y+ qPøkú¢¼ÇmµúÂÆâs5}àO£tdïôfGj}É¬:ø÷¹â&÷c&ÀÇ@zÞcÅgÓÑëGïNn3g\|ÔZØ²¤G> b&}LºFwXÍ\|[x¦D@q#4m$>äÂö>/ö8Iå¸7ÐGñD¨íòDñ¥Ñ&\qÀÒJ²Z $\ÒVi×´v8·´Æ&Àÿ>Ì<[ÏlEfMdý\|îoK¡JnÜnÔÏ¯ ïµÃFòÜxAayÛOw(ì³Ö-ÆÆõA5«V¥0½REAãýñbG-¨¦¥ [Êþdã0[okûhn¤ÛB±±!S^¥4\Áéj8ªJÛ®!2É)C¨ñgÕ{@ÜMZ¶ß?þ÷}M¯,ëïõ Û³OS÷=B9Àc\#Ã\9§ 0b;(Ïÿ©(ÎZï¨ðóe^4>ØxúI"WÂB°%/í¯¼áy?Ó( ÖüMÝð·7¢L{éü=·Ë¡gÇmPvl\|Sâ DÄêq¯où¾Ì !sì©M7<wòÂ,-<L1Ò ¿ü/wÌð¹DPÐò°=þoÊÐðÒ¶eÆzoaªd>aùr)0Þ sÉzdÎD8@¸Þ¿åK@X¥³jj&å"ª¯L¤E©ÊæpÏ_éKr¢OÝTmªÛªuZE)J2^D{ðR¤%£§õ¼wX"Æ®ë"~"ê<äPu¶ç5G}¹~ó³Pr<LÌu ítuuDæÔúäfÂî4Ñ@#j-ÂÒ£ÑÉºgÍZê·í2>[Ììgu½CPHçëhºö-áN($q$ãeË°þm*âk3²Jd¼I?Ó#J0ÊDêQâZb&'Ô ¦g¡Æ^_/\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: base_address: 0x0042f000 process_identifier: 2892 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:41 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2892 process_handle: 0x00000128	1	1
NtSetContextThread Oct. 24, 2023, 7:41 a.m.	registers.eip: 1995571652 registers.esp: 2948336 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2892	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2952	1	0
NtGetContextThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000190	1	0
NtGetContextThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000190	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000004c0 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000478 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x0000048c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000004d4 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW Oct. 24, 2023, 7:42 a.m.	thread_identifier: 2636 thread_handle: 0x00000124 process_identifier: 2592 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000128	1	1
NtGetContextThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000124	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2592 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî¯¦éà0È¬®ç @ à@TçWN©À H.text´Ç È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: base_address: 0x00402000 process_identifier: 2592 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: base_address: 0x00430000 process_identifier: 2592 process_handle: 0x00000128	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: à°7 base_address: 0x0043c000 process_identifier: 2592 process_handle: 0x00000128	1	1

foto2552.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All