Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 26, 2023, 10:17 a.m.	Oct. 26, 2023, 10:19 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7613290b26555e6b7b16131d17331960`
SHA256	`f4886aa34e28ee294d217127048d38fb17d872ab5b1baeb04424b7eaa15558f4`
CRC32	`E0CB781D`
ssdeep	`24576:7yF8hOuV29A+oM1db5vTYk4TmM+iXlmvZcXnQN1+l0zwqH0RcfrV6/Mb2N3Tidkv:uF8hOuV2Ndb57f4TPYvaANO0sAH2N3T`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

foto1661.exe "C:\Users\test22\AppData\Local\Temp\foto1661.exe"
1020
- Qu3zm3mb.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Qu3zm3mb.exe
  2112
  - Fc9PG7Fq.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Fc9PG7Fq.exe
    2188
    - iW4Ox0uA.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\iW4Ox0uA.exe
      2252
      - Oz2GJ1On.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\Oz2GJ1On.exe
        2304
        
        1aP71bw7.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1aP71bw7.exe
        2348
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2448
        
        2ui982bJ.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2ui982bJ.exe
        2512
      - 3zm3Dv28.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zm3Dv28.exe
        2096
    - 4GZ372Su.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4GZ372Su.exe
      2172
      - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2320
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
        4048
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2cd6e00,0x7fef2cd6e10,0x7fef2cd6e20
        2976
  - 5Jp03OV.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5Jp03OV.exe
    2468
    - explothe.exe "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe"
      2624
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        1804
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
        2428
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2992
        
        cacls.exe CACLS "explothe.exe" /P "test22:N"
        2132
        
        cacls.exe CACLS "explothe.exe" /P "test22:R" /E
        2256
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2300
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:N"
        2496
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:R" /E
        2160
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1"
        2656
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
        3184
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3184 CREDAT:145409
        3376
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
        3244
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2cd6e00,0x7fef2cd6e10,0x7fef2cd6e20
        3328
      - tus.exe "C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe"
        2056
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3368
      - foto1661.exe "C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe"
        3572
        
        Si0fQ9YY.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Si0fQ9YY.exe
        3696
        
        rI1Jd4Eu.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\rI1Jd4Eu.exe
        3752
        
        WF0kq6mf.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\WF0kq6mf.exe
        3800
        
        Bp2UD7lQ.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\Bp2UD7lQ.exe
        3856
        
        1eH36Fz5.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1eH36Fz5.exe
        3928
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3172
        
        2Et342Hh.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Et342Hh.exe
        3144
      - nalo.exe "C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe"
        3984
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3168
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        3632
- 6PS68mQ.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe
  2552
  - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe"
    1228
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      1696
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1696 CREDAT:145409
        2640

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 216.58.203.67	142.250.206.227
accounts.google.com	A 216.58.200.237	142.250.206.205
www.youtube.com	A 142.250.66.46 A 142.251.220.78 A 142.250.204.110 A 216.58.203.78 A 142.251.220.110 A 142.250.199.78 A 216.58.200.238 A 142.250.204.46 A 142.250.204.78 A 142.251.220.14 A 142.251.220.46 A 142.250.204.142 A 172.217.24.78 A 142.251.222.206 CNAME youtube-ui.l.google.com A 142.251.130.14 A 172.217.31.14	172.217.25.174
www.google.com	A 142.250.204.36	142.250.76.132
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.204.36	Active	Moloch
142.251.220.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
193.233.255.73	Active	Moloch
216.58.200.237	Active	Moloch
216.58.203.67	Active	Moloch
77.91.124.1	Active	Moloch
77.91.124.86	Active	Moloch
77.91.68.249	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.103:49171	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49194 -> 77.91.68.249:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 77.91.124.1:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49193 -> 77.91.124.1:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 193.233.255.73:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.103:49194 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 77.91.68.249:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 77.91.124.86:19084 -> 192.168.56.103:49179	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49193 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49193 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 77.91.68.249:80 -> 192.168.56.103:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.249:80 -> 192.168.56.103:49194	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.249:80 -> 192.168.56.103:49194	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 142.251.220.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 216.58.200.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 216.58.203.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 142.251.220.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 216.58.200.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 216.58.200.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49209 -> 216.58.203.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 216.58.203.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49219 -> 216.58.200.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 216.58.203.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 142.250.204.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49231 -> 142.250.204.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49233 -> 142.250.204.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 142.250.204.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49245 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49245 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.1:80 -> 192.168.56.103:49245	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.124.1:80 -> 192.168.56.103:49245	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.124.1:80 -> 192.168.56.103:49245	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49194 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.68.249:80 -> 192.168.56.103:49194	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.249:80 -> 192.168.56.103:49194	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49241 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49201 142.251.220.14:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	71:34:f9:a1:80:2f:af:05:cb:45:8a:35:d5:48:03:3f:b3:6f:61:30
TLSv1 192.168.56.103:49203 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	0c:f7:12:d9:d4:67:aa:56:4d:68:2b:4c:90:81:cd:08:57:ad:f0:ad
TLSv1 192.168.56.103:49207 216.58.200.237:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18
TLSv1 192.168.56.103:49208 216.58.203.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60
TLSv1 192.168.56.103:49204 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	0c:f7:12:d9:d4:67:aa:56:4d:68:2b:4c:90:81:cd:08:57:ad:f0:ad
TLSv1 192.168.56.103:49206 216.58.200.237:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18
TLSv1 192.168.56.103:49220 216.58.200.237:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18
TLSv1 192.168.56.103:49209 216.58.203.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60
TLSv1 192.168.56.103:49225 216.58.203.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60
TLSv1 192.168.56.103:49219 216.58.200.237:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18
TLSv1 192.168.56.103:49226 216.58.203.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60
TLSv1 192.168.56.103:49230 142.250.204.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75
TLSv1 192.168.56.103:49231 142.250.204.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75
TLSv1 192.168.56.103:49233 142.250.204.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75
TLSv1 192.168.56.103:49232 142.250.204.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75

Queries for the computername (33 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 10:17 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (33 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:17 a.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 10:18 a.m.			0	0

Command line console output was observed (50 out of 90 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 26, 2023, 10:17 a.m.	buffer: SUCCESS: The scheduled task "explothe.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 26, 2023, 10:17 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 26, 2023, 10:17 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:17 a.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 76 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00318fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00319708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00319708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003195c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00896a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008bd888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008bd888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008bd888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008bd888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008bd888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008bd888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d6f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d6f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d70f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d77f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d77f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d76b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047abd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047abd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047abd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047abd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047abd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047abd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047b650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 26, 2023, 10:17 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (36 events)

Time & API	Arguments	Status
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x6e86cd 0x6e849e 0x6e6cad 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6e8808 registers.esp: 2156836 registers.edi: 2156888 registers.eax: 0 registers.ebp: 2156900 registers.edx: 3025192 registers.ebx: 2158116 registers.esi: 39620504 registers.ecx: 0	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x7182b08 0x71825b9 0x71824d5 0x7180bdb 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155424 registers.edi: 2155708 registers.eax: 0 registers.ebp: 2155432 registers.edx: 0 registers.ebx: 2158116 registers.esi: 40244884 registers.ecx: 41371196	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x7182b08 0x71825b9 0x71824ed 0x7180bdb 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155424 registers.edi: 2155708 registers.eax: 0 registers.ebp: 2155432 registers.edx: 0 registers.ebx: 2158116 registers.esi: 40244884 registers.ecx: 42677136	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x7182b08 0x71825b9 0x71824ed 0x7180bdb 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155424 registers.edi: 2155708 registers.eax: 0 registers.ebp: 2155432 registers.edx: 0 registers.ebx: 2158116 registers.esi: 40244884 registers.ecx: 40144040	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x71872a6 0x7186cf8 0x71824d5 0x7181352 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155384 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155392 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39257472 registers.ecx: 41581856	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x71872a6 0x7186cf8 0x71824ed 0x7181352 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155384 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155392 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39257472 registers.ecx: 43168080	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x71872a6 0x7186cf8 0x71824ed 0x7181352 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155384 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155392 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39257472 registers.ecx: 44517752	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x718796a 0x7187548 0x71824d5 0x7181454 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155448 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155456 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39257472 registers.ecx: 39518844	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x718796a 0x7187548 0x71824ed 0x7181454 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155448 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155456 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39247460 registers.ecx: 40917048	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x718796a 0x7187548 0x71824ed 0x7181454 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155448 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155456 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39247460 registers.ecx: 42315240	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x7187e72 0x7187a98 0x71824d5 0x7181541 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155468 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155476 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39247460 registers.ecx: 43713512	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x7187e72 0x7187a98 0x71824ed 0x7181541 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155468 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155476 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39247460 registers.ecx: 40465456	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x7187e72 0x7187a98 0x71824ed 0x7181541 0x6eebae 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2155468 registers.edi: 2155724 registers.eax: 0 registers.ebp: 2155476 registers.edx: 0 registers.ebx: 2158116 registers.esi: 39247460 registers.ecx: 41866392	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x71869f0 0x7188e47 0x7188619 0x6eebdc 0x6ec7af 0x6e6d75 0x6e6886 0x6e34ab 0x6e2f10 0x6e2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7186a33 registers.esp: 2156352 registers.edi: 2156632 registers.eax: 0 registers.ebp: 2156360 registers.edx: 0 registers.ebx: 2158116 registers.esi: 42433888 registers.ecx: 42440972	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0xaa8725 0xaa84f6 0xaa6cad 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaa8860 registers.esp: 3730004 registers.edi: 3730056 registers.eax: 0 registers.ebp: 3730068 registers.edx: 8862480 registers.ebx: 3731284 registers.esi: 41791804 registers.ecx: 0	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc3b30 0x4bc35e1 0x4bc34fd 0x4bc1c03 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728592 registers.edi: 3728876 registers.eax: 0 registers.ebp: 3728600 registers.edx: 0 registers.ebx: 3731284 registers.esi: 42547020 registers.ecx: 43673164	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc3b30 0x4bc35e1 0x4bc3515 0x4bc1c03 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728592 registers.edi: 3728876 registers.eax: 0 registers.ebp: 3728600 registers.edx: 0 registers.ebx: 3731284 registers.esi: 42547020 registers.ecx: 44979104	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc3b30 0x4bc35e1 0x4bc3515 0x4bc1c03 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728592 registers.edi: 3728876 registers.eax: 0 registers.ebp: 3728600 registers.edx: 0 registers.ebx: 3731284 registers.esi: 42547020 registers.ecx: 42461456	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc3b30 0x4bc83c0 0x4bc34fd 0x4bc2098 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728592 registers.edi: 3728876 registers.eax: 0 registers.ebp: 3728600 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41446764 registers.ecx: 43936392	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc3b30 0x4bc83c0 0x4bc3515 0x4bc2098 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728592 registers.edi: 3728876 registers.eax: 0 registers.ebp: 3728600 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41446764 registers.ecx: 45357768	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc3b30 0x4bc83c0 0x4bc3515 0x4bc2098 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728592 registers.edi: 3728876 registers.eax: 0 registers.ebp: 3728600 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41446764 registers.ecx: 41996992	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc8c2e 0x4bc8680 0x4bc34fd 0x4bc237b 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728552 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728560 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 43306824	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc8c2e 0x4bc8680 0x4bc3515 0x4bc237b 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728552 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728560 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 44656496	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc8c2e 0x4bc8680 0x4bc3515 0x4bc237b 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728552 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728560 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 46006168	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc92f2 0x4bc8ed0 0x4bc34fd 0x4bc247d 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728616 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728624 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 42444096	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc92f2 0x4bc8ed0 0x4bc3515 0x4bc247d 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728616 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728624 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 43842288	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc92f2 0x4bc8ed0 0x4bc3515 0x4bc247d 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728616 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728624 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 45240480	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc97fa 0x4bc9420 0x4bc34fd 0x4bc256a 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728636 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728644 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 47106896	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc97fa 0x4bc9420 0x4bc3515 0x4bc256a 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728636 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728644 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 41803212	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bc97fa 0x4bc9420 0x4bc3515 0x4bc256a 0x4bc0ec6 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3728636 registers.edi: 3728892 registers.eax: 0 registers.ebp: 3728644 registers.edx: 0 registers.ebx: 3731284 registers.esi: 41433200 registers.ecx: 43176736	1
__exception__ Oct. 26, 2023, 10:17 a.m.	stacktrace: 0x4bc7a28 0x4bca7cf 0x4bc9fa1 0x4bc0ef4 0xaac7af 0xaa6d75 0xaa6886 0xaa34ab 0xaa2f10 0xaa2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4bc7a6b registers.esp: 3729520 registers.edi: 3729800 registers.eax: 0 registers.ebp: 3729528 registers.edx: 0 registers.ebx: 3731284 registers.esi: 43744232 registers.ecx: 43751316	1
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 96334052 registers.edi: 78034308 registers.eax: 96334052 registers.ebp: 96334132 registers.edx: 578 registers.ebx: 96334416 registers.esi: 2147746133 registers.ecx: 77813616	1
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6950540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x695052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x695e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 56024064 registers.edi: 1974991376 registers.eax: 56024064 registers.ebp: 56024144 registers.edx: 1 registers.ebx: 77792988 registers.esi: 2147746133 registers.ecx: 1762237273	1
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 100528620 registers.edi: 76547492 registers.eax: 100528620 registers.ebp: 100528700 registers.edx: 514 registers.ebx: 100528984 registers.esi: 2147746133 registers.ecx: 76696696	1
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x446 CreateURLMoniker-0x1418 urlmon+0x1c5f7 @ 0x752fc5f7 GetIDNFlagsForUri+0x1eb2 CreateIUriBuilder-0x8e7 urlmon+0x21ba9 @ 0x75301ba9 GetIDNFlagsForUri+0x19d4 CreateIUriBuilder-0xdc5 urlmon+0x216cb @ 0x753016cb GetIDNFlagsForUri+0x193d CreateIUriBuilder-0xe5c urlmon+0x21634 @ 0x75301634 GetIDNFlagsForUri+0xe85 CreateIUriBuilder-0x1914 urlmon+0x20b7c @ 0x75300b7c GetIDNFlagsForUri+0x12e3 CreateIUriBuilder-0x14b6 urlmon+0x20fda @ 0x75300fda CompareSecurityIds+0x207a GetClassFileOrMime-0x3330 urlmon+0x33246 @ 0x75313246 RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6950540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x695052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x695e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 74828824 registers.edi: 1974991376 registers.eax: 74828824 registers.ebp: 74828904 registers.edx: 1 registers.ebx: 5807436 registers.esi: 2147746133 registers.ecx: 1711986762	1
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 244314056 registers.r15: 55174832 registers.rcx: 1276 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 244313312 registers.rsp: 244313016 registers.r11: 244316928 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1300 registers.r12: 244313672 registers.rbp: 244313168 registers.rdi: 90073392 registers.rax: 10169856 registers.r13: 88659152	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.233.255.73/loghub/master
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.124.1/theme/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/2.ps1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/tus.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/foto1661.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/nalo.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/clip64.dll

Performs some HTTP requests (21 events)

request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php
request	GET http://77.91.68.249/fuza/2.ps1
request	GET http://77.91.68.249/fuza/tus.exe
request	GET http://77.91.68.249/fuza/foto1661.exe
request	GET http://77.91.68.249/fuza/nalo.exe
request	GET http://77.91.124.1/theme/Plugins/cred64.dll
request	GET http://77.91.124.1/theme/Plugins/clip64.dll
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/_/bscframe
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?x9IqeA
request	GET https://accounts.google.com/generate_204?KIpSmg
request	GET https://www.google.com/favicon.ico

Sends data using the HTTP POST Method (2 events)

request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1678 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 1020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 1020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d5b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c6a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74741000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df2e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ddab000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (20 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2424934 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2424934 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2424571 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2424571 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2424221 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2424221 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2423744 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2423744 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2423556 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2423556 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2423041 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2423041 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2422677 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2422677 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2422326 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2422326 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2421481 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2421481 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2421049 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 26, 2023, 10:17 a.m.	number_of_free_clusters: 2421049 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (8 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 1696 crashed
Application Crash	Process iexplore.exe with pid 3184 crashed
Application Crash	Process chrome.exe with pid 4048 crashed
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 96334052 registers.edi: 78034308 registers.eax: 96334052 registers.ebp: 96334132 registers.edx: 578 registers.ebx: 96334416 registers.esi: 2147746133 registers.ecx: 77813616	1	0	0
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6950540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x695052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x695e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 56024064 registers.edi: 1974991376 registers.eax: 56024064 registers.ebp: 56024144 registers.edx: 1 registers.ebx: 77792988 registers.esi: 2147746133 registers.ecx: 1762237273	1	0	0
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 100528620 registers.edi: 76547492 registers.eax: 100528620 registers.ebp: 100528700 registers.edx: 514 registers.ebx: 100528984 registers.esi: 2147746133 registers.ecx: 76696696	1	0	0
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x446 CreateURLMoniker-0x1418 urlmon+0x1c5f7 @ 0x752fc5f7 GetIDNFlagsForUri+0x1eb2 CreateIUriBuilder-0x8e7 urlmon+0x21ba9 @ 0x75301ba9 GetIDNFlagsForUri+0x19d4 CreateIUriBuilder-0xdc5 urlmon+0x216cb @ 0x753016cb GetIDNFlagsForUri+0x193d CreateIUriBuilder-0xe5c urlmon+0x21634 @ 0x75301634 GetIDNFlagsForUri+0xe85 CreateIUriBuilder-0x1914 urlmon+0x20b7c @ 0x75300b7c GetIDNFlagsForUri+0x12e3 CreateIUriBuilder-0x14b6 urlmon+0x20fda @ 0x75300fda CompareSecurityIds+0x207a GetClassFileOrMime-0x3330 urlmon+0x33246 @ 0x75313246 RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6950540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x695052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x695e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 74828824 registers.edi: 1974991376 registers.eax: 74828824 registers.ebp: 74828904 registers.edx: 1 registers.ebx: 5807436 registers.esi: 2147746133 registers.ecx: 1711986762	1	0	0
__exception__ Oct. 26, 2023, 10:18 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 244314056 registers.r15: 55174832 registers.rcx: 1276 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 244313312 registers.rsp: 244313016 registers.r11: 244316928 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1300 registers.r12: 244313672 registers.rbp: 244313168 registers.rdi: 90073392 registers.rax: 10169856 registers.r13: 88659152	1	0	0

Steals private information from local Internet browsers (27 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF4bc48b.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\cf218ff8-862f-46c5-9d5b-10a695d0a2d9.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6539D10A-FD0.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (27 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Qu3zm3mb.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4GZ372Su.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Et342Hh.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Fc9PG7Fq.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\rI1Jd4Eu.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3xs5Gv98.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe
file	C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Si0fQ9YY.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6ZK14bj.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5vk20My.exe
file	C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\Bp2UD7lQ.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1aP71bw7.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zm3Dv28.exe
file	C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\Oz2GJ1On.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4VL270mi.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1eH36Fz5.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5Jp03OV.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\iW4Ox0uA.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\WF0kq6mf.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2ui982bJ.exe
file	C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1
file	C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000050041\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (7 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe
file	C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe
file	C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe

Drops an executable to the user AppData folder (14 events)

file	C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Et342Hh.exe
file	C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5vk20My.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3xs5Gv98.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1eH36Fz5.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\WF0kq6mf.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\Bp2UD7lQ.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Si0fQ9YY.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\rI1Jd4Eu.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4VL270mi.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6ZK14bj.exe

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe	1	1
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: Powershell.exe parameters: -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1" filepath: Powershell.exe	1	1
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe	1	1
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe	1	1
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe	1	1
ShellExecuteExW Oct. 26, 2023, 10:18 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Oct. 26, 2023, 10:17 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe" filepath: C:\Windows\sysnative\cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x06540000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process explothe.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Î³_b à_b à_b à£áQb à¥áòb à¤áIb à¡á\b à_b¡àÜb à¤áNb à£áJb à¥á b à¥á^b à¢á^b àRich_b àPELj½9eà"ÞÛ @°@ "(PØK·8¨¶@ .textü `.rdataù @@.data¨Ó@ ¶& @À.idataÈ Ü @@.00cfg@î @@.reloc(WPXð @BÌÌÌÌÌéKé é\éÊûééÄ0é8é¬Dééí ééYFéÆêéW¯éÏHéW3é&² é; é,íéÆçéé§Äé<èéY^é½é_·é4éëéÏé"éÄéý¥éVéñé>é¡éyé,éî®éOÁéÎóéGéàéO é·é:Ãé²é1éâ¥éM é;Qé?#éÚéNðéFéÎ³éøésÚ éµéÅé\|áé<=é éçézÀé é<6éT^ éNFéÄ´éªÇéµé×éyéé¡éáfér¼éå'éGêé6éöUéÌé+éeété¸"éeé:ìéé5EéY£éJÿélééÕ5é§éF¼émé,hé×e éhréDµéñÞ é¸ÚéöFékÇé´EéúÌéàYéª·éÀ'éºB éö(éX\é°é{<éx=éÕèéÈéUéSèé© éa¬éYLé¦Yé@3 é¦ éaÅéÒé8ÇéZ5éA5éÌ+éÌéé?éiÊéU éé~é³é9{é\| é3ÀéMéoé.ïéì7éÇ'éÉéB éÛGéBéTÓéâ±éÈéTOé!(é¼Íé0péÚÊé;éjéétéÃªéB éáNél¹ éR¿ é¯JéQ^éÛéÿéâ°ééjé9mé6Éé,RéÒåéòé°é2²éO6 é<ãé éDOéQéEÀéõ'éÌéé¸ éAéêé°ïéÒSéméø\|éºééJéwÌéß^é:!éÕYéÃ é éÜéÏ¶ é¾éNé; éªcéH£é9×ééàåéËoéIxé:épéWNéñAébPéØlé~Òé%3é)é>éh~éq~ éîOéyuéÇéxéWéu2éÔ ééiéEÄéç@ éiàé³ébzé1Úé«éRfézéõîé"wéñé£éP&éÚ\é.Îéì éAé·éòëéÈâééä°éEéiû éý é/Zéªoé+éÓéé\|éÅéHé¯Àééé;éw=é®é é¸}é{éq©é¥}éué· é×¯ééÛGéT?é³éÉÊéFbé¾Ôé£éñéD}é?mézLé9éEéj]é~éw éRÐéj© éXé_öé éDGé?8éêÆébÏéÛéé Áé©é9D éf® éé»Óé>éé«öé¸@é×tééÕãé`Oéê¯éÿ¡éÐééüéé1Äé¬é-³ éè¿éXºéXréHééNéétcé}0é´¬éhIé9é,é¨éW¬é éfÅéÄåé@ét?éÖ éøÙéééß%éß;éðÏéäéàyéôäé# é¢;éwé\®é¢wéÕéÏ éMéãéëéb} éééÅé AéAéÒö éªµéÍÀé#ébÆén éÀéÒZé¨/éqléôé?× é éÀé"]é¹éøéüK é½»é ¶é¡éié8%éCé>ké/éÒéÄéWÅéÀé' é0ÂéöhéÉ/é\|"é[ éKXé`ºé.véìàéNéùñ é)déIÌé]#éóQé@céBéPFéÌéé1éÄécéáét:é!é¶é[é^ é+uéç éßé¡éúGé&^éW éãé é¢béxéÍéÓlé½é?¬éóÈéúÑ é¸+ éäéié#éìéj× é°¦é¦ÜéØÉéhõ éÑ?é6ép+éâtéé"Jéé³é4é!é¹é é é2é,[é\é}éÏénTévéÅéß5éSÀéÊéféïÕéO\|éâ«éÕ éS¼é63évé¸bé$é~ébÑ éBé0Íé^¬é×ß é¥Ö ééz¹é ©é¸é¹¨ éÜ: é+éùxé`éR¥éÚéÆé¥³ér4é^géPÆ éé½+éçàéíÂéoé-éäÅ é>Áé:¶é¬éi?é¡ßé¼é[éFé14éføéÑÄé\ éÁBééùàéBéeÄéCé´ é6é2½éä@é»ÿé)épBéØ;é°ºé8K éÊéÇé é7ééÃ5 éÞéésÀé_é»¨ éØ=éCBéË>éÀ)éW é¬6é¥+édÃéìécépéôæ é5é ½ é éÄéÁéd±é+í éÓÐéñé÷Aé³éméR«éèôéxé6©éÙï é¤éîÍéÖé% é6ùéç8é ¢éáö éé ÆéÒ é request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà d`j@ Ð¼¯@Á ¢´ÀöÀT@ .textcd `.dataHh@À.idataR j@@.rsrcÀø\|@@.relocÀ t@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Î³_b à_b à_b à£áQb à¥áòb à¤áIb à¡á\b à_b¡àÜb à¤áNb à£áJb à¥á b à¥á^b à¢á^b àRich_b àPEL¾9eà"¼Û @@ ò( ØK·8¨¶@ð .textì `.rdataù @@.data¨¯@ & @À.idataÈð¸@@.00cfgÊ@@.relocY ZÌ@BÌÌÌÌÌé;éé\éºûéé´0é(éDéôéÝ é}éIFé¶êéG¯é¿HéG3é² éü: éíé¶çééÄé,èéI^éð¼éO·é$éÛé Ïéð!é´éí¥éFéñé>ééòxééÞ®é?ÁéÎóé7éàéO é§éÃév²é!éÒ¥éM é+Qé/#éÚé>ðépFé¾³éèécÚ éñ´érÅéláé,=éô é×éjÀéé,6éD^ é>Fé´´éÇé¥éÇéiéééÑféb¼éå'é7êéx6éöUétÌé+é{eédé¨"é\|eéìéé%EéI£é:ÿé\ézéÅ5éo§é6¼éøléhéÇe éXré4µéáÞ é¨ÚéæFé[Çé¤EéêÌéÐYé·éÀ'éªB éö(éH\é ék<éh=éÅèé ÈéUéCèé éQ¬éILéYé03 é éQÅéÒé(ÇéJ5é15é¼+éðËé é?éYÊéU éÙ~é£é){él é#Àé=éoéïéì7éÇ'ézÉé2 éËGéBéDÓéÒ±éÈéDOé(é¬Íé péÊÊé+éjéété³ªé2 éÑNé\¹ éB¿ éJéA^éËéÿéÒ°ééZé)mé&Éé,RéÂåéòé°é"²é?6 é,ãéó é4OéAé5Àéõ'érÌéé¸ éò@éÚé ïéÒSé]éè\|éªéé:égÌéÏ^é!éÅYéóÂ é éyÜé¿¶ é®é÷Mé+ écé8£é)×éuéÐåé»oé9xé:é÷oéGNéáAéRPéÈlénÒé3é)és>éX~éa~ éîOéiuéÇéxéGée2éÄ ééié5Äé×@ éYàé£éRzé!Úé«éBfépzéåîéwéáéw£é@&éÊ\éÎéì éAé·éâëé¸âééÔ°éþDéYû éý éZéoééÃé é\|éÅéHéÀééé;ég=é®é é¨}é}{éa©é}éeép· éÇ¯ééËGéD?éð²é¹Êé6bé®Ôééáé4}é/mézLé~9éEéZ]év~ég éBÐéZ© éXéOöé é4Gé/8éÚÆéRÏé÷ÚééùÀé©é)D éV® éé«Óé.ééöé¨@éÇtéwéÅãéPOéÚ¯éï¡éÐééüéó é!Äéé³ éØ¿éHºéHré8ééNéédcém0é¤¬éXIéø8éév¨éG¬é éVÅé´åéð?éd?éðÕ éèÙéééÏ%éÏ;éàÏéÔéÐyéääé é;éóvéL®éwéÅé¿ é=éõâéÛéR} éééÅé AéxAéÂö éµé½Àé#éRÆé^ é°éÂZé/éaléôé/× éýé Àé]és¹éèéìK é»é¶ééYé8%éCé.kéñ.étÒé´éGÅéÀé é Âéæhé¹/é\|"éK é;XéPºévéÜàéNééñ édé9ÌéM#éãQé0cé2é@Fé¼éé1é´éSéáéd:é!é¦éKéN éuéç éöÞé¡éêGé^éG éÓé ébéhésÍéÃlé½é/¬éãÈéêÑ é¨+ éðãéié#éìéZ× é ¦éÜéÈÉéXõ éÁ?é6é`+éÒtééJézé}³é$é!éû¸é éq é"é[éLé}é¿é^TéòuéÅéß5éCÀéÊéVéßÕé?\|éÒ«éÕ éC¼é&3évvé¨bé$éþ}éRÑ é2é ÍéN¬éÇß éÖ ééj¹éù¨é ¸é©¨ éÌ: éééxéPéB¥éòÙéüÅé³éb4éNgé@Æ ésé+é×àéÝÂéwoé-éÔÅ é.Áé*¶é¬éY?éßé¬éûZé6é!4éVøéÁÄéL é±Béééàé2éUÄéCé¤ éü5é"½éÔ@é«ÿéx)épBéÈ;é ºé(K éºéÇé é'éqé³5 éÞéécÀé_é«¨ éÈ=é3BéË>é°)éG é6é+éTÃéÜéSé`éäæ é%éú¼ é é´é±éT±éí éÃÐéñéçAé£épméB«éèôéhé&©éÉï éz¤éÞÍéÆé é&ùé×8é¢éÑö éxéÆéõÑ éq request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 26, 2023, 10:18 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL ïeà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0016f000', u'virtual_address': u'0x0000c000', u'entropy': 7.976535524920646, u'name': u'.rsrc', u'virtual_size': u'0x0016f000'}

entropy

7.97653552492

description

A section with a high entropy has been found

entropy

0.978340553149

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 26, 2023, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2023, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2023, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 68 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored

Queries for potentially installed applications (50 out of 102 events)

Time & API	Arguments	Status
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: 7-Zip base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: AddressBook base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: Adobe AIR base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: Connection Manager base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: EditPlus base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: Fontcore base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: Google Chrome base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: IE40 base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: IE4Data base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: IEData base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: WIC base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Oct. 26, 2023, 10:17 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000404 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Oct. 26, 2023, 10:17 a.m.	status_code: 0xffffffff process_identifier: 3244 process_handle: 0x000002c0
NtTerminateProcess Oct. 26, 2023, 10:17 a.m.	status_code: 0xffffffff process_identifier: 3244 process_handle: 0x000002c0	1
NtTerminateProcess Oct. 26, 2023, 10:17 a.m.	status_code: 0xffffffff process_identifier: 3328 process_handle: 0x000002c0
NtTerminateProcess Oct. 26, 2023, 10:17 a.m.	status_code: 0xffffffff process_identifier: 3328 process_handle: 0x000002c0	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1696 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3184 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (5 events)

host	117.18.232.200
host	193.233.255.73
host	77.91.124.1
host	77.91.124.86
host	77.91.68.249

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2448 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2320 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 3368 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 3172 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 3168 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (15 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tus.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto1661.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nalo.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 26, 2023, 10:17 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 26, 2023, 10:17 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (17 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL6&8eà$2ºAP@@@L«(ðàü0Ð @P.text02 `.rdataxaPb6@@.data(#À@À.rsrcàð¦@@.relocü02¨@B base_address: 0x00400000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þjB@ÆB@ÆB@ÆB@ÆB@ÆBHÆBmBnBÈdBÅB`ÀBCÆB×B×B×B×B×B×B×B×B×BÆB×B×B×B×B×B×B×B..þÿÿÿ þÿÿÿu_«âB!\ìÀbRqËò¹Ëa³ã¦^ÛÑ¸ÆíÈ¡ø={-ÄW@ÔøÍC"¿¦Æú¡#÷8¶{$fWñòXéÁvxw4ûK"-eøÀA&(rÙkøæth1î%Clë»Á¼ÈLt²Ñ9=#ÀÑA¬Ü'²Ñ¶M¬Ú¸ªM4ß¾5¸F}ãùWEðÛc°âhÊ¡r²'lc<©îçQìLLÔË>` Qï«ÃÈ®U6º'øÆ <¬«Ñß¼rXnoI&}yÜÝâ-(î"±T F1@ßb±ügPô¹èp7Ïqþóu±»DÿàÈjùï&gSù¼5§àÍDðÙfGª61:ÃÄ®Ù#1IÖÄÙÞ~mþmææl;µ$Xú6×ñ-¥éÔßZ=l;µó%õïÙ bA§6ØÃº¹ýÍõ.BÙGGâ,ñçØä@gçkÙù-ÿÜ¿úSëc°îÎ<)IVu·\~ÇZ_æ«4ìá§F²/Whò=° Âx,wU=QULàgù7©ïìfÖOªçø$)0_C]÷ºg£2?¤îr©mxÈwå®;VÑ¨5½>#Ý9§Ä\|81µ#íS7D<ÎÝ©¾zpÓhDaC¡ÆWØn'`<¡Ê×5E3 ÄÓá@ÑãýüdédZ¾Ü²ÛÈø§×S¸%-ç32ÉÝ è = É«cúùÆðú@R(\|,0kFÀhõOBC0/µKau²£ÒÒöý!r,÷väµKÆ&1íP!í6EÝ õ±{Káü¬ ³Xñ¼ÉqÜ¯Þ,çàäQ3Ô;:&ÓE»¨ gk¡h¡\Ï_G!·e7:áÚÆA¥rX£a+Õ'Ð¸Eìû-4^ú°ªM_ÚlóëÅ¨Oãá õ[ÕSÍyÕ>§òæâ~<W\|ÛùEH#yº'&ðT´Dp\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042c000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: 0 H`ð}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042f000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî¯¦éà0È¬®ç @ à@TçWN©À H.text´Ç È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2320 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: à°7 base_address: 0x0043c000 process_identifier: 2320 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2320 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3368 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3368 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL6&8eà$2ºAP@@@L«(ðàü0Ð @P.text02 `.rdataxaPb6@@.data(#À@À.rsrcàð¦@@.relocü02¨@B base_address: 0x00400000 process_identifier: 3172 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þjB@ÆB@ÆB@ÆB@ÆB@ÆBHÆBmBnBÈdBÅB`ÀBCÆB×B×B×B×B×B×B×B×B×BÆB×B×B×B×B×B×B×B..þÿÿÿ þÿÿÿu_«âB!\ìÀbRqËò¹Ëa³ã¦^ÛÑ¸ÆíÈ¡ø={-ÄW@ÔøÍC"¿¦Æú¡#÷8¶{$fWñòXéÁvxw4ûK"-eøÀA&(rÙkøæth1î%Clë»Á¼ÈLt²Ñ9=#ÀÑA¬Ü'²Ñ¶M¬Ú¸ªM4ß¾5¸F}ãùWEðÛc°âhÊ¡r²'lc<©îçQìLLÔË>` Qï«ÃÈ®U6º'øÆ <¬«Ñß¼rXnoI&}yÜÝâ-(î"±T F1@ßb±ügPô¹èp7Ïqþóu±»DÿàÈjùï&gSù¼5§àÍDðÙfGª61:ÃÄ®Ù#1IÖÄÙÞ~mþmææl;µ$Xú6×ñ-¥éÔßZ=l;µó%õïÙ bA§6ØÃº¹ýÍõ.BÙGGâ,ñçØä@gçkÙù-ÿÜ¿úSëc°îÎ<)IVu·\~ÇZ_æ«4ìá§F²/Whò=° Âx,wU=QULàgù7©ïìfÖOªçø$)0_C]÷ºg£2?¤îr©mxÈwå®;VÑ¨5½>#Ý9§Ä\|81µ#íS7D<ÎÝ©¾zpÓhDaC¡ÆWØn'`<¡Ê×5E3 ÄÓá@ÑãýüdédZ¾Ü²ÛÈø§×S¸%-ç32ÉÝ è = É«cúùÆðú@R(\|,0kFÀhõOBC0/µKau²£ÒÒöý!r,÷väµKÆ&1íP!í6EÝ õ±{Káü¬ ³Xñ¼ÉqÜ¯Þ,çàäQ3Ô;:&ÓE»¨ gk¡h¡\Ï_G!·e7:áÚÆA¥rX£a+Õ'Ð¸Eìû-4^ú°ªM_ÚlóëÅ¨Oãá õ[ÕSÍyÕ>§òæâ~<W\|ÛùEH#yº'&ðT´Dp\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042c000 process_identifier: 3172 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: 0 H`ð}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042f000 process_identifier: 3172 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3172 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL6&8eà$2ºAP@@@L«(ðàü0Ð @P.text02 `.rdataxaPb6@@.data(#À@À.rsrcàð¦@@.relocü02¨@B base_address: 0x00400000 process_identifier: 3168 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þjB@ÆB@ÆB@ÆB@ÆB@ÆBHÆBmBnBÈdBÅB`ÀBCÆB×B×B×B×B×B×B×B×B×BÆB×B×B×B×B×B×B×B..þÿÿÿ þÿÿÿu_«âB!\ìÀbRqËò¹Ëa³ã¦^ÛÑ¸ÆíÈ¡ø={-ÄW@ÔøÍC"¿¦Æú¡#÷8¶{$fWñòXéÁvxw4ûK"-eøÀA&(rÙkøæth1î%Clë»Á¼ÈLt²Ñ9=#ÀÑA¬Ü'²Ñ¶M¬Ú¸ªM4ß¾5¸F}ãùWEðÛc°âhÊ¡r²'lc<©îçQìLLÔË>` Qï«ÃÈ®U6º'øÆ <¬«Ñß¼rXnoI&}yÜÝâ-(î"±T F1@ßb±ügPô¹èp7Ïqþóu±»DÿàÈjùï&gSù¼5§àÍDðÙfGª61:ÃÄ®Ù#1IÖÄÙÞ~mþmææl;µ$Xú6×ñ-¥éÔßZ=l;µó%õïÙ bA§6ØÃº¹ýÍõ.BÙGGâ,ñçØä@gçkÙù-ÿÜ¿úSëc°îÎ<)IVu·\~ÇZ_æ«4ìá§F²/Whò=° Âx,wU=QULàgù7©ïìfÖOªçø$)0_C]÷ºg£2?¤îr©mxÈwå®;VÑ¨5½>#Ý9§Ä\|81µ#íS7D<ÎÝ©¾zpÓhDaC¡ÆWØn'`<¡Ê×5E3 ÄÓá@ÑãýüdédZ¾Ü²ÛÈø§×S¸%-ç32ÉÝ è = É«cúùÆðú@R(\|,0kFÀhõOBC0/µKau²£ÒÒöý!r,÷väµKÆ&1íP!í6EÝ õ±{Káü¬ ³Xñ¼ÉqÜ¯Þ,çàäQ3Ô;:&ÓE»¨ gk¡h¡\Ï_G!·e7:áÚÆA¥rX£a+Õ'Ð¸Eìû-4^ú°ªM_ÚlóëÅ¨Oãá õ[ÕSÍyÕ>§òæâ~<W\|ÛùEH#yº'&ðT´Dp\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042c000 process_identifier: 3168 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: 0 H`ð}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042f000 process_identifier: 3168 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3168 process_handle: 0x0000011c	1	1

Code injection by writing an executable or DLL to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL6&8eà$2ºAP@@@L«(ðàü0Ð @P.text02 `.rdataxaPb6@@.data(#À@À.rsrcàð¦@@.relocü02¨@B base_address: 0x00400000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî¯¦éà0È¬®ç @ à@TçWN©À H.text´Ç È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2320 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3368 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL6&8eà$2ºAP@@@L«(ðàü0Ð @P.text02 `.rdataxaPb6@@.data(#À@À.rsrcàð¦@@.relocü02¨@B base_address: 0x00400000 process_identifier: 3172 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL6&8eà$2ºAP@@@L«(ðàü0Ð @P.text02 `.rdataxaPb6@@.data(#À@À.rsrcàð¦@@.relocü02¨@B base_address: 0x00400000 process_identifier: 3168 process_handle: 0x0000011c	1	1

Collects information about installed applications (50 out of 76 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Oct. 26, 2023, 10:17 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	AppLaunch.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
process	explothe.exe	useragent
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2348 called NtSetContextThread to modify thread in remote process 2448
Process injection	Process 2172 called NtSetContextThread to modify thread in remote process 2320
Process injection	Process 2056 called NtSetContextThread to modify thread in remote process 3368
Process injection	Process 3928 called NtSetContextThread to modify thread in remote process 3172
Process injection	Process 3984 called NtSetContextThread to modify thread in remote process 3168
NtSetContextThread Oct. 26, 2023, 10:17 a.m.	registers.eip: 2005598660 registers.esp: 4126780 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 2448	1	0	0
NtSetContextThread Oct. 26, 2023, 10:17 a.m.	registers.eip: 2005598660 registers.esp: 3733952 registers.edi: 0 registers.eax: 4384686 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 2320	1	0	0
NtSetContextThread Oct. 26, 2023, 10:17 a.m.	registers.eip: 2005598660 registers.esp: 3275888 registers.edi: 0 registers.eax: 4207172 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 3368	1	0	0
NtSetContextThread Oct. 26, 2023, 10:17 a.m.	registers.eip: 2005598660 registers.esp: 3931308 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 3172	1	0	0
NtSetContextThread Oct. 26, 2023, 10:17 a.m.	registers.eip: 2005598660 registers.esp: 3930800 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 3168	1	0	0

One or more non-whitelisted processes were created (7 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2cd6e00,0x7fef2cd6e10,0x7fef2cd6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2cd6e00,0x7fef2cd6e10,0x7fef2cd6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1168,16183496853904138645,9720597582476504408,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1176 /prefetch:2
parent_process	powershell.exe	martian_process	iexplore https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	Chrome https://accounts.google.com/

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (26 events)

Time & API	Arguments	Status	Return
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Oct. 26, 2023, 10:17 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (37 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2348 resumed a thread in remote process 2448
Process injection	Process 2172 resumed a thread in remote process 2320
Process injection	Process 2552 resumed a thread in remote process 1228
Process injection	Process 1696 resumed a thread in remote process 2640
Process injection	Process 2056 resumed a thread in remote process 3368
Process injection	Process 3184 resumed a thread in remote process 3376
Process injection	Process 3928 resumed a thread in remote process 3172
Process injection	Process 3984 resumed a thread in remote process 3168
Process injection	Process 2976 resumed a thread in remote process 4048
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2448	1	0	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2320	1	0	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 1228	1	0	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2640	1	0	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 3368	1	0	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 3376	1	0	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 3172	1	0	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 3168	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0
NtResumeThread Oct. 26, 2023, 10:18 a.m.	thread_handle: 0x000000000000018c suspend_count: 2 process_identifier: 4048	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\fefffe8cea" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	CACLS "explothe.exe" /P "test22:N"
cmdline	CACLS "..\fefffe8cea" /P "test22:N"
cmdline	CACLS "explothe.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit

Executed a process and injected code into it, probably while unpacking (50 out of 217 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2116 thread_handle: 0x0000001c process_identifier: 2112 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Qu3zm3mb.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2452 thread_handle: 0x00000128 process_identifier: 2552 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2192 thread_handle: 0x0000001c process_identifier: 2188 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Fc9PG7Fq.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2476 thread_handle: 0x00000128 process_identifier: 2468 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5Jp03OV.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2256 thread_handle: 0x0000001c process_identifier: 2252 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\iW4Ox0uA.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2168 thread_handle: 0x00000128 process_identifier: 2172 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4GZ372Su.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2308 thread_handle: 0x0000001c process_identifier: 2304 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\Oz2GJ1On.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2088 thread_handle: 0x00000128 process_identifier: 2096 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zm3Dv28.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2352 thread_handle: 0x0000001c process_identifier: 2348 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1aP71bw7.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2516 thread_handle: 0x00000128 process_identifier: 2512 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2ui982bJ.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2452 thread_handle: 0x00000118 process_identifier: 2448 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000011c	1	1
NtGetContextThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2448 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL6&8eà$2ºAP@@@L«(ðàü0Ð @P.text02 `.rdataxaPb6@@.data(#À@À.rsrcàð¦@@.relocü02¨@B base_address: 0x00400000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: base_address: 0x00401000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: base_address: 0x00425000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þjB@ÆB@ÆB@ÆB@ÆB@ÆBHÆBmBnBÈdBÅB`ÀBCÆB×B×B×B×B×B×B×B×B×BÆB×B×B×B×B×B×B×B..þÿÿÿ þÿÿÿu_«âB!\ìÀbRqËò¹Ëa³ã¦^ÛÑ¸ÆíÈ¡ø={-ÄW@ÔøÍC"¿¦Æú¡#÷8¶{$fWñòXéÁvxw4ûK"-eøÀA&(rÙkøæth1î%Clë»Á¼ÈLt²Ñ9=#ÀÑA¬Ü'²Ñ¶M¬Ú¸ªM4ß¾5¸F}ãùWEðÛc°âhÊ¡r²'lc<©îçQìLLÔË>` Qï«ÃÈ®U6º'øÆ <¬«Ñß¼rXnoI&}yÜÝâ-(î"±T F1@ßb±ügPô¹èp7Ïqþóu±»DÿàÈjùï&gSù¼5§àÍDðÙfGª61:ÃÄ®Ù#1IÖÄÙÞ~mþmææl;µ$Xú6×ñ-¥éÔßZ=l;µó%õïÙ bA§6ØÃº¹ýÍõ.BÙGGâ,ñçØä@gçkÙù-ÿÜ¿úSëc°îÎ<)IVu·\~ÇZ_æ«4ìá§F²/Whò=° Âx,wU=QULàgù7©ïìfÖOªçø$)0_C]÷ºg£2?¤îr©mxÈwå®;VÑ¨5½>#Ý9§Ä\|81µ#íS7D<ÎÝ©¾zpÓhDaC¡ÆWØn'`<¡Ê×5E3 ÄÓá@ÑãýüdédZ¾Ü²ÛÈø§×S¸%-ç32ÉÝ è = É«cúùÆðú@R(\|,0kFÀhõOBC0/µKau²£ÒÒöý!r,÷väµKÆ&1íP!í6EÝ õ±{Káü¬ ³Xñ¼ÉqÜ¯Þ,çàäQ3Ô;:&ÓE»¨ gk¡h¡\Ï_G!·e7:áÚÆA¥rX£a+Õ'Ð¸Eìû-4^ú°ªM_ÚlóëÅ¨Oãá õ[ÕSÍyÕ>§òæâ~<W\|ÛùEH#yº'&ðT´Dp\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042c000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: 0 H`ð}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042f000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: base_address: 0x00430000 process_identifier: 2448 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2448 process_handle: 0x0000011c	1	1
NtSetContextThread Oct. 26, 2023, 10:17 a.m.	registers.eip: 2005598660 registers.esp: 4126780 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 2448	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2448	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2512	1	0
NtGetContextThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x0000018c	1	0
NtGetContextThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x0000018c	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x000004ac suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x000004a0 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 2512	1	0
CreateProcessInternalW Oct. 26, 2023, 10:17 a.m.	thread_identifier: 2316 thread_handle: 0x00000118 process_identifier: 2320 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000011c	1	1
NtGetContextThread Oct. 26, 2023, 10:17 a.m.	thread_handle: 0x00000118	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 10:17 a.m.	process_identifier: 2320 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî¯¦éà0È¬®ç @ à@TçWN©À H.text´Ç È `.rsrcN©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 2320 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: base_address: 0x00402000 process_identifier: 2320 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: base_address: 0x00430000 process_identifier: 2320 process_handle: 0x0000011c	1	1
WriteProcessMemory Oct. 26, 2023, 10:17 a.m.	buffer: à°7 base_address: 0x0043c000 process_identifier: 2320 process_handle: 0x0000011c	1	1

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	IL:Trojan.MSILZilla.30012
ClamAV	Win.Packed.Pwsx-10012424-0
CAT-QuickHeal	Trojan.GenericRI.S31067593
ALYac	Gen:Variant.Doina.48214
Malwarebytes	Generic.Malware.AI.DDS
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.9794fd
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	VHO:Trojan-PSW.Win32.Convagent.gen
NANO-Antivirus	Trojan.Win32.Deyma.kbnced
Rising	Trojan.Generic@AI.99 (RDML:Bzo27GwFkOm0FAbxk9QUXQ)
F-Secure	Trojan.TR/Spy.Gen
DrWeb	Trojan.PWS.RedLineNET.9
VIPRE	IL:Trojan.MSILZilla.30012
Trapmine	malicious.high.ml.score
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Spy.Stealer
Jiangmin	TrojanDownloader.Deyma.arg
Avira	TR/Redcap.heqqf
Antiy-AVL	Trojan/Win32.Tiggre
Kingsoft	malware.kb.a.937
Gridinsoft	Spy.Win32.Redline.lu!heur
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
ZoneAlarm	VHO:Trojan-PSW.Win32.Convagent.gen
GData	Win32.Trojan.PSE.1N3O6MD
Varist	W32/Kryptik.JKR.gen!Eldorado
Acronis	suspicious
DeepInstinct	MALICIOUS
Cylance	unsafe
Zoner	Trojan.Win32.85523
Tencent	Malware.Win32.Gencirc.10bf3970
Yandex	Trojan.DL.Amadey!v6PxXuPqQN8
SentinelOne	Static AI - Malicious SFX
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HUKQ!tr

The process powershell.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Program Files (x86)\Internet Explorer\iexplore.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

foto1661.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All