Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 7, 2023, 7:03 p.m.	Nov. 7, 2023, 7:10 p.m.

Size	4.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`b79c2d99b9899e66e9a3c16b5bc407cb`
SHA256	`1f0a1a7674ad868c99421fc13b0457de7ab612ca5948ae7cd045db355720e1fd`
CRC32	`D71377F9`
ssdeep	`98304:ch71+dABvnMM6JWksKAzvCC1UpqrC8asFDFc+kQzKQL:ch71+8vnMM6JWksKkUpQD6FerL`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description)

WWW14_64.exe "C:\Users\test22\AppData\Local\Temp\WWW14_64.exe"
2676
- rw90YVhZMPemeYQdRA2001Fn.exe "C:\Users\test22\Pictures\Minor Policy\rw90YVhZMPemeYQdRA2001Fn.exe"
  2224
- 52oB2Wye5oshKFFiEPt9HcBJ.exe "C:\Users\test22\Pictures\Minor Policy\52oB2Wye5oshKFFiEPt9HcBJ.exe"
  2188
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7z24C3188C\ul7A.CMd" "
    2784
    - control.exe "C:\Windows\System32\control.exe" "C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL",
      1380
      - rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL",
        2388
        
        rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL",
        2752
        
        rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL",
        320
- WJ_BGqn1aegCCsabvg5JZP1c.exe "C:\Users\test22\Pictures\Minor Policy\WJ_BGqn1aegCCsabvg5JZP1c.exe"
  2256
- L03QtA_eoQSXVxOFXCwW2RRG.exe "C:\Users\test22\Pictures\Minor Policy\L03QtA_eoQSXVxOFXCwW2RRG.exe"
  2212
- wKzMvEM3v8T4vaiDp67ushwj.exe "C:\Users\test22\Pictures\Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe"
  2656
- VneSnp3_ukQr2DpIFzFJmPqn.exe "C:\Users\test22\Pictures\Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe"
  2696
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2244
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2244 CREDAT:145409
      2068
- mnzijhIRqVkfyvRhOhxVOtK3.exe "C:\Users\test22\Pictures\Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe"
  2708
  - ShvkrilYcv_1AfAKnQPZZGUl.exe "C:\Users\test22\Pictures\Minor Policy\ShvkrilYcv_1AfAKnQPZZGUl.exe"
    3600
    - InstallSetup5.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe"
      3680
      - Broom.exe C:\Users\test22\AppData\Local\Temp\Broom.exe
        3920
    - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
      3728
      - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
        4044
    - e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
      3780
    - kos4.exe "C:\Users\test22\AppData\Local\Temp\kos4.exe"
      3832
    - latestX.exe "C:\Users\test22\AppData\Local\Temp\latestX.exe"
      3880
- KIgIybt5WVZFqpet46xtKWqC.exe "C:\Users\test22\Pictures\Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe"
  2456

Name	Response	Post-Analysis Lookup
iplogger.com	A 104.21.12.138 A 172.67.194.188	172.67.194.188
learn.microsoft.com	CNAME e13636.dscb.akamaiedge.net CNAME learn-public.trafficmanager.net A 23.210.37.172 CNAME learn.microsoft.com.edgekey.net.globalredir.akadns.net CNAME learn.microsoft.com.edgekey.net	23.40.45.69
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.132.67
iplis.ru	A 104.21.63.150 A 172.67.147.32	104.21.63.150
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
ipinfo.io	A 34.117.59.81	34.117.59.81
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
fdjbgkhjrpfvsdf.online	A 104.21.87.5 A 172.67.139.27	104.21.87.5
lakuiksong.known.co.ke	A 146.59.70.14	146.59.70.14
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
psv4.userapi.com	A 87.240.137.134 A 87.240.190.89 CNAME ps.userapi.com A 87.240.190.76 A 87.240.137.140	87.240.190.76
globalwebventure.com	A 65.109.26.240	65.109.26.240
ironhost.io	A 104.21.57.237 A 172.67.193.129	172.67.193.129
neuralshit.net	A 172.67.134.35 A 104.21.6.10	172.67.134.35
octocrabs.com	A 172.67.200.10 A 104.21.21.189	104.21.21.189

IP Address	Status	Action
104.21.21.189	Active	Moloch
104.21.57.237	Active	Moloch
104.21.6.10	Active	Moloch
104.26.8.59	Active	Moloch
146.59.70.14	Active	Moloch
164.124.101.2	Active	Moloch
172.67.139.27	Active	Moloch
172.67.147.32	Active	Moloch
172.67.194.188	Active	Moloch
185.172.128.69	Active	Moloch
194.169.175.235	Active	Moloch
194.33.191.60	Active	Moloch
194.49.94.72	Active	Moloch
194.49.94.77	Active	Moloch
208.67.104.60	Active	Moloch
23.210.37.172	Active	Moloch
23.67.53.17	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
65.109.26.240	Active	Moloch
87.240.137.134	Active	Moloch
87.240.137.164	Active	Moloch
91.92.243.151	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49179 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 91.92.243.151:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49173 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49169 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49169 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49170 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49177 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49170 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49188 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49188 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 65.109.26.240:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49193 -> 65.109.26.240:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49181 -> 194.49.94.72:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.101:49181 -> 194.49.94.72:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 104.21.21.189:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49186 -> 104.21.21.189:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 172.67.139.27:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.139.27:80 -> 192.168.56.101:49182	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49166 -> 104.21.57.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 194.49.94.72:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.101:49181 -> 194.49.94.72:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.49.94.72:80 -> 192.168.56.101:49181	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49183 -> 104.21.21.189:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.21.189:80 -> 192.168.56.101:49183	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 172.67.139.27:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49198 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 104.21.21.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.49.94.72:80 -> 192.168.56.101:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.49.94.72:80 -> 192.168.56.101:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 194.49.94.72:80 -> 192.168.56.101:49181	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49203 -> 104.21.6.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 146.59.70.14:80 -> 192.168.56.101:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49180 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 172.67.139.27:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49184 -> 172.67.139.27:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.139.27:80 -> 192.168.56.101:49189	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49185 -> 65.109.26.240:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 65.109.26.240:80 -> 192.168.56.101:49185	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 104.21.21.189:80 -> 192.168.56.101:49191	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49187 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49187 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49197 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 65.109.26.240:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49201 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49201 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 65.109.26.240:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 65.109.26.240:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 65.109.26.240:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 65.109.26.240:443 -> 192.168.56.101:49204	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 65.109.26.240:443 -> 192.168.56.101:49204	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49210 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49200 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49200 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49216 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.101:49218	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49212 -> 65.109.26.240:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49212 -> 65.109.26.240:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 65.109.26.240:443 -> 192.168.56.101:49212	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 65.109.26.240:443 -> 192.168.56.101:49212	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49225 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 65.109.26.240:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49207 -> 65.109.26.240:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49207 -> 65.109.26.240:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 65.109.26.240:443 -> 192.168.56.101:49207	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 65.109.26.240:443 -> 192.168.56.101:49207	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49211 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49222 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49215 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49230 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49233 -> 87.240.137.134:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49243 -> 194.33.191.60:44675	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49243 -> 194.33.191.60:44675	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49243 -> 194.33.191.60:44675	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49243 -> 194.33.191.60:44675	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49246 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49246 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49250 -> 172.67.147.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49258 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49258 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49261 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 87.240.137.164:80 -> 192.168.56.101:49223	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49227 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49227 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49263 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49248 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49248 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49248 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49268 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49268 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 194.169.175.235:42691 -> 192.168.56.101:49253	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49269 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49269 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.69:80 -> 192.168.56.101:49269	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.69:80 -> 192.168.56.101:49269	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49273 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49271 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49244 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 194.49.94.77:22888 -> 192.168.56.101:49252	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49260 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49260 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 194.49.94.77:22888 -> 192.168.56.101:49252	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49279 -> 23.210.37.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49283 -> 23.210.37.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49281 -> 23.210.37.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49278 -> 23.210.37.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.210.37.172:443 -> 192.168.56.101:49282	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49270 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49270 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 23.210.37.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 194.33.191.60:44675 -> 192.168.56.101:49243	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 194.33.191.60:44675 -> 192.168.56.101:49243	2046106	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49252 -> 194.49.94.77:22888	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.101:53767 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:50220 -> 172.67.194.188:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:50220 -> 172.67.194.188:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 194.169.175.235:42691 -> 192.168.56.101:49253	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49253 -> 194.169.175.235:42691	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49248 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49170 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49169 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49177 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49166 104.21.57.237:443	C=US, O=Let's Encrypt, CN=E1	CN=ironhost.io	bf:96:55:fe:92:31:2c:3b:86:d9:a5:21:ac:2a:4c:b7:56:b7:9e:19
TLSv1 192.168.56.101:49195 172.67.139.27:443	C=US, O=Let's Encrypt, CN=E1	CN=fdjbgkhjrpfvsdf.online	5d:a5:57:bd:11:fb:b3:4d:13:f7:4a:c5:f4:35:35:9c:e3:02:fa:11
TLSv1 192.168.56.101:49196 104.21.21.189:443	C=US, O=Let's Encrypt, CN=E1	CN=octocrabs.com	77:33:49:da:ac:e1:32:31:64:ad:8a:16:84:a3:aa:04:d0:fc:15:d7
TLSv1 192.168.56.101:49203 104.21.6.10:443	C=US, O=Let's Encrypt, CN=E1	CN=neuralshit.net	48:34:be:08:a6:7d:1e:ee:b7:5d:2d:12:63:b2:18:02:6a:d9:0d:74
TLSv1 192.168.56.101:49210 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49225 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49226 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49222 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49224 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49217 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49230 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49233 87.240.137.134:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49232 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49246 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49250 172.67.147.32:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplis.ru	04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1 192.168.56.101:49221 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49263 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49273 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLS 1.2 192.168.56.101:50220 172.67.194.188:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplogger.com	c1:91:92:9b:9a:80:29:75:dc:65:9b:a4:c0:11:8c:ac:72:d6:77:58

Queries for the computername (37 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2023, 7:09 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:08 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:09 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:09 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:09 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:09 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:09 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:09 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:02 p.m.			0	0
IsDebuggerPresent Nov. 7, 2023, 7:02 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00624ff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00625978 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003eb380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003eb380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003eb400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebb80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebe40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebe40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ebc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dbd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dbd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2023, 7:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dbd00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2023, 7:08 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	_RDATA
section	.@**..--

One or more processes crashed (50 out of 68 events)

Time & API	Arguments	Status
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x2138735 0x2138506 0x2136cad 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2138870 registers.esp: 8253572 registers.edi: 8253624 registers.eax: 0 registers.ebp: 8253636 registers.edx: 6367664 registers.ebx: 8254852 registers.esi: 37529072 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4960d2e 0x4960bf1 0x4960b0d 0x213eb6b 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251924 registers.edi: 8252172 registers.eax: 0 registers.ebp: 8252184 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 38205496 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4961140 0x4960bf1 0x4960b0d 0x213eb6b 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252160 registers.edi: 8252444 registers.eax: 0 registers.ebp: 8252168 registers.edx: 0 registers.ebx: 8254852 registers.esi: 38205496 registers.ecx: 39455108	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4960d2e 0x4960bf1 0x4960b25 0x213eb6b 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251924 registers.edi: 8252172 registers.eax: 0 registers.ebp: 8252184 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 38205496 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4961140 0x4960bf1 0x4960b25 0x213eb6b 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252160 registers.edi: 8252444 registers.eax: 0 registers.ebp: 8252168 registers.edx: 0 registers.ebx: 8254852 registers.esi: 38205496 registers.ecx: 37232460	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4960d2e 0x4960bf1 0x4960b25 0x213eb6b 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251924 registers.edi: 8252172 registers.eax: 0 registers.ebp: 8252184 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4961140 0x4960bf1 0x4960b25 0x213eb6b 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252160 registers.edi: 8252444 registers.eax: 0 registers.ebp: 8252168 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 38592872	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x496594d 0x4965820 0x4960b0d 0x213f2e3 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251884 registers.edi: 8252132 registers.eax: 0 registers.ebp: 8252144 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4965dce 0x4965820 0x4960b0d 0x213f2e3 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252120 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252128 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 40179972	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x496594d 0x4965820 0x4960b25 0x213f2e3 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251884 registers.edi: 8252132 registers.eax: 0 registers.ebp: 8252144 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4965dce 0x4965820 0x4960b25 0x213f2e3 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252120 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252128 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 41531272	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x496594d 0x4965820 0x4960b25 0x213f2e3 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251884 registers.edi: 8252132 registers.eax: 0 registers.ebp: 8252144 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4965dce 0x4965820 0x4960b25 0x213f2e3 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252120 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252128 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 42882572	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x496609c 0x4965f50 0x4960b0d 0x213f3e5 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251948 registers.edi: 8252196 registers.eax: 0 registers.ebp: 8252208 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4966372 0x4965f50 0x4960b0d 0x213f3e5 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252184 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252192 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37217928 registers.ecx: 37895148	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x496609c 0x4965f50 0x4960b25 0x213f3e5 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251948 registers.edi: 8252196 registers.eax: 0 registers.ebp: 8252208 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4966372 0x4965f50 0x4960b25 0x213f3e5 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252184 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252192 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 39389804	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x496609c 0x4965f50 0x4960b25 0x213f3e5 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251948 registers.edi: 8252196 registers.eax: 0 registers.ebp: 8252208 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x4966372 0x4965f50 0x4960b25 0x213f3e5 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252184 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252192 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 40884460	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x49666e5 0x49665c0 0x4960b0d 0x213f4d2 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251968 registers.edi: 8252216 registers.eax: 0 registers.ebp: 8252228 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x496699a 0x49665c0 0x4960b0d 0x213f4d2 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252204 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252212 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 37886752	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x49666e5 0x49665c0 0x4960b25 0x213f4d2 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251968 registers.edi: 8252216 registers.eax: 0 registers.ebp: 8252228 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x496699a 0x49665c0 0x4960b25 0x213f4d2 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252204 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252212 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 37498560	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x49666e5 0x49665c0 0x4960b25 0x213f4d2 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 48 28 76 04 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x496161c registers.esp: 8251968 registers.edi: 8252216 registers.eax: 0 registers.ebp: 8252228 registers.edx: 74852056 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x496699a 0x49665c0 0x4960b25 0x213f4d2 0x213de2e 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8252204 registers.edi: 8252460 registers.eax: 0 registers.ebp: 8252212 registers.edx: 0 registers.ebx: 8254852 registers.esi: 37216824 registers.ecx: 39110304	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4964f48 0x496796f 0x4967141 0x213de5c 0x213c7af 0x2136d75 0x2136886 0x21334ab 0x2132f10 0x2132ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4964f8b registers.esp: 8253088 registers.edi: 8253368 registers.eax: 0 registers.ebp: 8253096 registers.edx: 0 registers.ebx: 8254852 registers.esi: 39841716 registers.ecx: 39848800	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0xc57bd8 0xc57b0d 0xc52f5b 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc57c71 registers.esp: 3600636 registers.edi: 39212200 registers.eax: 0 registers.ebp: 3600660 registers.edx: 4165544 registers.ebx: 39212220 registers.esi: 39213020 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0xc5f8e9 0xc5f863 0xc5ef52 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 ce exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc5fb64 registers.esp: 3600012 registers.edi: 42940260 registers.eax: 40760304 registers.ebp: 3600072 registers.edx: 0 registers.ebx: 39438704 registers.esi: 40760304 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0xc5f8e9 0xc5f880 0xc5ef52 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 ce exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc5fb64 registers.esp: 3600012 registers.edi: 39438072 registers.eax: 42190320 registers.ebp: 3600072 registers.edx: 0 registers.ebx: 40970280 registers.esi: 42190320 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0xc5f8e9 0xc5f880 0xc5ef52 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 ce exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc5fb64 registers.esp: 3600012 registers.edi: 39438072 registers.eax: 43672744 registers.ebp: 3600072 registers.edx: 0 registers.ebx: 42400228 registers.esi: 43672744 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 18 30 34 70 89 85 44 fe ff ff 8b d0 8d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc5f141 registers.esp: 3600120 registers.edi: 3600320 registers.eax: 0 registers.ebp: 3600648 registers.edx: 4165544 registers.ebx: 43884972 registers.esi: 0 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f2cd9 0xc5f42e 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f2f23 registers.esp: 3600028 registers.edi: 39438072 registers.eax: 45108960 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 43888904 registers.esi: 45108960 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f2cd9 0xc5f42e 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f2f23 registers.esp: 3600028 registers.edi: 39438072 registers.eax: 40153884 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 39490068 registers.esi: 40153884 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f2cd9 0xc5f42e 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f2f23 registers.esp: 3600028 registers.edi: 39433428 registers.eax: 41503584 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 40283528 registers.esi: 41503584 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f2fa9 0xc5f4ce 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f3181 registers.esp: 3600028 registers.edi: 39433428 registers.eax: 0 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 41633300 registers.esi: 42853348 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f2fa9 0xc5f4ce 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f3181 registers.esp: 3600028 registers.edi: 39433428 registers.eax: 0 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 39490676 registers.esi: 39715128 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f2fa9 0xc5f4ce 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f3181 registers.esp: 3600028 registers.edi: 39433428 registers.eax: 0 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 39984016 registers.esi: 41204064 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f32d9 0xc5f55a 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f34aa registers.esp: 3600028 registers.edi: 42958348 registers.eax: 0 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 41473032 registers.esi: 42693080 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f32d9 0xc5f55a 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f34aa registers.esp: 3600028 registers.edi: 39699596 registers.eax: 0 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 42964300 registers.esi: 39699932 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f32d9 0xc5f55a 0xc5e86c 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f34aa registers.esp: 3600028 registers.edi: 39699596 registers.eax: 0 registers.ebp: 3600080 registers.edx: 0 registers.ebx: 39866276 registers.esi: 41086324 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x90f3864 0xc5e884 0xc57f20 0xc52f80 0xc52c06 0xc51b93 0xc51b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 e0 0f 8f a1 fe ff ff eb 05 e8 98 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x90f3c9a registers.esp: 3600524 registers.edi: 41630920 registers.eax: 0 registers.ebp: 3600568 registers.edx: 0 registers.ebx: 41624712 registers.esi: 41631604 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x7a86a5 0x7a8476 0x7a6c85 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a87e0 registers.esp: 3797028 registers.edi: 3797080 registers.eax: 0 registers.ebp: 3797092 registers.edx: 6241376 registers.ebx: 3798308 registers.esi: 37593624 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x49998de 0x49997a1 0x49996bd 0x4998750 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 44 4a 01 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x499a1cc registers.esp: 3795352 registers.edi: 3795600 registers.eax: 0 registers.ebp: 3795612 registers.edx: 117524692 registers.ebx: 3798308 registers.esi: 40553164 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x499daf0 0x4999cf0 0x49997a1 0x49996bd 0x4998750 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x499db33 registers.esp: 3795588 registers.edi: 3795872 registers.eax: 0 registers.ebp: 3795596 registers.edx: 0 registers.ebx: 3798308 registers.esi: 40553164 registers.ecx: 38065004	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x49998de 0x49997a1 0x49996d5 0x4998750 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 44 4a 01 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x499a1cc registers.esp: 3795352 registers.edi: 3795600 registers.eax: 0 registers.ebp: 3795612 registers.edx: 117524692 registers.ebx: 3798308 registers.esi: 37361088 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x499daf0 0x4999cf0 0x49997a1 0x49996d5 0x4998750 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x499db33 registers.esp: 3795588 registers.edi: 3795872 registers.eax: 0 registers.ebp: 3795596 registers.edx: 0 registers.ebx: 3798308 registers.esi: 37361088 registers.ecx: 39496876	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x49998de 0x49997a1 0x49996d5 0x4998750 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 44 4a 01 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x499a1cc registers.esp: 3795352 registers.edi: 3795600 registers.eax: 0 registers.ebp: 3795612 registers.edx: 117524692 registers.ebx: 3798308 registers.esi: 37361088 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x499daf0 0x4999cf0 0x49997a1 0x49996d5 0x4998750 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x499db33 registers.esp: 3795588 registers.edi: 3795872 registers.eax: 0 registers.ebp: 3795596 registers.edx: 0 registers.ebx: 3798308 registers.esi: 37361088 registers.ecx: 41482120	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 f5 96 60 6c 89 85 ec fc ff ff 8d bd e4 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4998a64 registers.esp: 3795976 registers.edi: 3797116 registers.eax: 0 registers.ebp: 3797152 registers.edx: 0 registers.ebx: 3798308 registers.esi: 3796688 registers.ecx: 0	1
__exception__ Nov. 7, 2023, 7:09 p.m.	stacktrace: 0x499e92d 0x499e800 0x49996bd 0x4998f29 0x4997a4d 0x7ac787 0x7a6d4d 0x7a685e 0x7a3483 0x7a2ee8 0x7a2e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x733bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73927f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73924de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 ff 15 44 4a 01 07 89 85 3c ff ff ff 8b 85 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x499a1cc registers.esp: 3795312 registers.edi: 3795560 registers.eax: 0 registers.ebp: 3795572 registers.edx: 117524692 registers.ebx: 3798308 registers.esi: 37361088 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://91.92.243.151/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.49.94.72/3.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.49.94.72/3.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.172.128.69/latestumma.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.69/latestumma.exe

Performs some HTTP requests (31 events)

request	GET http://91.92.243.151/api/tracemap.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://194.49.94.72/3.exe
request	GET http://194.49.94.72/3.exe
request	HEAD http://lakuiksong.known.co.ke/netTimer.exe
request	GET http://lakuiksong.known.co.ke/netTimer.exe
request	GET http://45.15.156.229/api/tracemap.php
request	POST http://45.15.156.229/api/firegate.php
request	HEAD http://185.172.128.69/latestumma.exe
request	GET http://185.172.128.69/latestumma.exe
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=VneSnp3_ukQr2DpIFzFJmPqn.exe&platform=0009&osver=5&isServer=0
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://fdjbgkhjrpfvsdf.online/setup294.exe
request	GET https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
request	GET https://neuralshit.net/41952c986340dccbd36c6f7751ad8d3c/7725eaa6592c80f8124e769b4e8a07f7.exe
request	GET https://vk.com/doc26060933_667402082?hash=YceActlCEWNAxzNWlyosqulkJNKFWOXwPC6aoepp51w&dl=4fZA3npX9cldehaLZ4Szl6YhrZWLZOAzHvN5zwGWoWH&api=1&no_preview=1#as
request	GET https://sun6-20.userapi.com/c909218/u26060933/docs/d54/6e7fc67a6ccd/asca1ex.bmp?extra=o0dbnej6BqzEu2z5v-Mxe5oLOHfcHc8vUDbMSePw_8F_JPn8HPD_NLCakc5EiDyrOG0dJBsKL6WuWl8WcnQT6t_9LwNBS5067YCL7hMG9GPzh8bxUp8FvU7aJ65cY8FynND1rYBTFV4uc5jy
request	GET https://vk.com/doc26060933_667283095?hash=XbMEOIVwAxvBMVozZrdx5JL01yibEzrk6OUGAeuqigk&dl=aHYtz9hCKP29fWdvsPFNX8NzNDQemO5X8RKctwJXQK0&api=1&no_preview=1#vmr
request	GET https://vk.com/doc26060933_667265534?hash=QrZOxyJfddotURGFHUaHcRtzBrPYFYi92QMrQaABFRL&dl=YGWXjzH1s6k62LlpR6zC3pzzD02Frvfpv4JhBLkPKVH&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c909228/u26060933/docs/d49/128817370068/frankurt.bmp?extra=S-7AocaxsIbLkK-ELoZtcguPmTMKNeGVULVejSj8lKOn4iE-SffQhWawQvouXtHuFn4V30tV4Vyf2KFZ982OpZrWgbptKJF--WytR4WsqWN9BMV4Qn2o60SPWY9OAPvZxXlmSACiGQB9-aWJ
request	GET https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echSw-1M9pvREF7eyP8RrYMQCeAIgdGcFGmL
request	GET https://vk.com/doc26060933_667364987?hash=BHX3WK0Px3UZYC6KUcanvJ8pCPk0aSa1CJ1a0crl1aL&dl=Y5COLZGRCC7rDCjMPJPVPA4Y0k1NZaZCa4v1PlcGmn8&api=1&no_preview=1
request	GET https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ9CENa5D8--pR4RgBxxVEvfsknWSZfulv4
request	GET https://vk.com/doc493219498_672836373?hash=M7A4hgYlu29jFClj8BntVZXGQNYZUrmGk5Xo8ZtSs3c&dl=vo1qv3UDs2s1kmfM0D1UlsXrUhketlWT0zHzAFUqZzz&api=1&no_preview=1#redcl
request	GET https://vk.com/doc26060933_667439205?hash=9u0pp57etRglLIKfkYwZcH44T9cOpyz0LWapsbTF1Bg&dl=z3Yi2TZu3wznuaMj0bEuIRV5ZXaFnSzqV3ZZNSu9aWD&api=1&no_preview=1#pers
request	GET https://psv4.userapi.com/c237131/u26060933/docs/d39/e725e5f13f43/PERSOM-1107.bmp?extra=lM3OqGzYHO-ydtWN8GVm8iBO22fCJG2WhM2K66LXzBICJffrODU--a9Pi-hhT7sttyJddEU9SHHg9SZN_-JOhRN7W2Plh0m9KbP4ZMAMKkWq9tgZOTF670Girpl8yfCoW0v7ugGpJH7nzSwG
request	GET https://iplis.ru/1cN8u7.mp3
request	GET https://vk.com/doc493219498_672768541?hash=tpdx8YXg91Y3FlT5s0RAbnPmPS1Zzyo9eLqcOzyWZYc&dl=WDy5pNA0ek7levBiA9WZCVFsr80DioWsqEq14iAXX84&api=1&no_preview=1

Sends data using the HTTP POST Method (2 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://45.15.156.229/api/firegate.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 765 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d82810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d83810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d84810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d85810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d86810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d87810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d88810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d89810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d90810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d91810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d92810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d93810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d94810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d95810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d96810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d97810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d98810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d99810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da3810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da4810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da5810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da6810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da7810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da8810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daa810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dab810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dac810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dad810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dae810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daf810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 7, 2023, 6:56 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 7, 2023, 7:09 p.m.	total_number_of_free_bytes: 13241184256 free_bytes_available: 13241184256 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 7, 2023, 7:09 p.m.	total_number_of_free_bytes: 13271216128 free_bytes_available: 13271216128 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 7, 2023, 7:09 p.m.	total_number_of_free_bytes: 13419364352 free_bytes_available: 13419364352 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 7, 2023, 7:09 p.m.	total_number_of_free_bytes: 13419364352 free_bytes_available: 13419364352 root_path: C: total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (20 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (22 events)

file	C:\Users\test22\AppData\Local\Temp\latestX.exe
file	C:\Users\test22\Pictures\Minor Policy\rw90YVhZMPemeYQdRA2001Fn.exe
file	C:\Users\test22\Pictures\Minor Policy\WJ_BGqn1aegCCsabvg5JZP1c.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\Pictures\Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe
file	C:\Users\test22\Pictures\Minor Policy\RVeNsAdLQjw60XJf9MzjqiNS.exe
file	C:\Users\test22\AppData\Local\Temp\7z24C3188C\ul7A.CMd
file	C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\Pictures\Minor Policy\L03QtA_eoQSXVxOFXCwW2RRG.exe
file	C:\Users\test22\Pictures\Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe
file	C:\Users\test22\Pictures\Minor Policy\EjSvSqGnn8rVZVP0ORl5WVMJ.exe
file	C:\Users\test22\Pictures\Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe
file	C:\Users\test22\Pictures\Minor Policy\52oB2Wye5oshKFFiEPt9HcBJ.exe
file	C:\Users\test22\AppData\Local\Temp\kos4.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\Pictures\Minor Policy\vDddnwTORl6qPEKq3zeRHvfM.exe
file	C:\Users\test22\Pictures\Minor Policy\ShvkrilYcv_1AfAKnQPZZGUl.exe
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\Pictures\Minor Policy\KmOVx08R1vVI6IHwgt2BLrER.exe
file	C:\Users\test22\Pictures\Minor Policy\FZkDdJkhXj4hYiGLutVZ1dsO.exe
file	C:\Users\test22\Pictures\Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Nov. 7, 2023, 6:56 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0
SetFileAttributesW Nov. 7, 2023, 7:08 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Drops an executable to the user AppData folder (13 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\latestumma[1].exe
file	C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\7725eaa6592c80f8124e769b4e8a07f7[1].exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\setup294[1].exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\kos4.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3[1].exe

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\rw90YVhZMPemeYQdRA2001Fn.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\rw90YVhZMPemeYQdRA2001Fn.exe	1	1
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\52oB2Wye5oshKFFiEPt9HcBJ.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\52oB2Wye5oshKFFiEPt9HcBJ.exe	1	1
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\WJ_BGqn1aegCCsabvg5JZP1c.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\WJ_BGqn1aegCCsabvg5JZP1c.exe	1	1
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\L03QtA_eoQSXVxOFXCwW2RRG.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\L03QtA_eoQSXVxOFXCwW2RRG.exe	1	1
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe	1	1
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe	1	1
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe	1	1
ShellExecuteExW Nov. 7, 2023, 6:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe	1	1
ShellExecuteExW Nov. 7, 2023, 7:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\ShvkrilYcv_1AfAKnQPZZGUl.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\ShvkrilYcv_1AfAKnQPZZGUl.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 7, 2023, 6:56 p.m.	snapshot_handle: 0x00000000000003e8 process_name: taskhost.exe process_identifier: 2520	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: rw90YVhZMPemeYQdRA2001Fn.exe process_identifier: 2224	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: WJ_BGqn1aegCCsabvg5JZP1c.exe process_identifier: 2256	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: L03QtA_eoQSXVxOFXCwW2RRG.exe process_identifier: 2212	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: wKzMvEM3v8T4vaiDp67ushwj.exe process_identifier: 2656	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: KIgIybt5WVZFqpet46xtKWqC.exe process_identifier: 2456	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: conhost.exe process_identifier: 1528	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: control.exe process_identifier: 1380	1	1
Process32NextW Nov. 7, 2023, 7:08 p.m.	snapshot_handle: 0x000000000000039c process_name: inject-x86.exe process_identifier: 2120	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 7, 2023, 7:09 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x032b0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 7, 2023, 6:56 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes www14_64.exe, mnzijhirqvkfyvrhohxvotk3.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 7, 2023, 6:56 p.m.	buffer: MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $zÒBÊ>³,>³,>³, á¨$³, á¹.³, á¯y³,ý¼q=³,>³-l³,7Ë¨?³,7Ë½?³,Rich>³,PELwªHeà ª°@pÌe°.textfh `.bss!"l `.rdata°@@.dataÐª@À.jkqvbz`Ä.ÀUìSVWÂÁÀ÷ÚãiÊ~÷Ú÷ÓçU÷ê÷Û@NÁÆµÏêCÀ÷×ÁÎ`CO÷ÒºSëK÷êë?OËä÷Ö÷ÒÁ× ËÈÏ-Ò»âÚaãZÊ¿@ÁÎÊÁØ÷Û¿ö÷ê@ÏÁÚÛK¿u3É3ÿÏ¼¿¿ÁÞÈÎ÷×ÁÇ:ËÁÇºÁÛÏ}OJFÛÀÁÈDÁÒßÛÁÒ(B÷ØC@÷èJ÷ÞÁÐëÁÚ÷Ú÷×ÀpÏÏñ÷ÒÁÓ¤Ï®è9ËBëÆòïó÷èFÁÂïC¸âCMF÷×÷Ò÷Ú÷ÛØàF÷êÇ8G@÷ÞKÁÏsÛÁÊ°êGÏÀRÁÊØ»ÛÊO÷ÚØ¾÷×÷ÛÚqÆNèêxÈDßÛÃ÷ßØ^B@÷Û÷ëîz%úÛB÷Ó¸<Ëï}ð3öØÀØ3ÀÀö3ö3ÛÀÃöÀ3ðöÆ3ó3ÆÛØöÆðÃÃÛÞ3ö3öØ/3ÆÀ3ö3Ø3Ø3Øö3ö3óö/Gâ«_^[]ÃÌÌÌÌÌÌUìSVWÚI÷ïß"÷Öç¿÷Ò÷Û¸_ÁÐ#÷ÐÁÏÈë6ßôÏ¹ÁÎÁÆ÷ÖF÷èã&ÁÒÚ ÆØ6ÁÏ¹îÝ÷ÞÃlÃ÷ï÷ï÷Û÷ï¾F¿ºÏ¤÷ØO»¥ÁÀ¸ÁÚ\|ÁË³ÏÁÐ3CKÊæÆ÷ÓÁÂ3É3ÿÏÀèhFHÛ÷ÚÁÏ ¿÷ÞB÷êÚíK÷ÞãÀ÷Ø÷Þ÷ßG¾{÷Ø÷è÷Óçk»wÏÁÊZO÷Ó÷ÛÆÞCÎÓî-CÁÞÏÁÏ¸Ë÷×ëÁÊß»ÁÃ:ÁÓúO÷îÂVß\ÂTMÁÓ>¾½ËãÅçz÷ïÁÞ±ÁÒ @@÷è÷ÒÏ@÷ë@@%îÁßáÁÆ¾Á×ô¿º÷ÐFê°ÊÂÁÐ÷Þ¿>ÂØÁÒÃ÷ÖJKGÁ×åà<J÷èï¿ÁÂ4Ê¾.ÇpÁÀËº÷î÷ïÁÖz}ÛØ3ÞöÃöØ3ÀÞ3Þ request_handle: 0x0000000000cc0064	1	1
InternetReadFile Nov. 7, 2023, 6:56 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdð.0) @ @+@@@ À)D~ H.text ) ) `.rsrcD~À))@@H$rt7r©k 0r+ þ68þ6Eò~ ÿ2 OXµ n"³%®!%qÚM³ç×#Þûó&pP ¨oé» ^$#ÓÆ¾Rb±ü#JÃÇ&(!=õÐ"Í2Ïçdnw ót¹$Fy$¹¯ï$U3É©v\åR # # <"â ° âÖO jW&+ &f%½"#"Ó v Ï: jáÈõ Rß"<#µAí ïrYD!CyÌ$gu% `²!Â I o÷®]2 A`"Tð¨õ \ o#Bð!j\|ñg ß¹ Qª+ì Ó¾âÆ_ ç +iK"îlä`¥$¼«¡Î<º s&vAò@´#æá¯K!Zëû¡"¦À#Í'ª~#rú}~}!Âeè1BL$8y þ1: ß8üÿÿþ?þþþA (:þûÿÿ& n8óûÿÿ8 8Nþ ÇZ ÉZaiXþ 8Éûÿÿ8é â(:µûÿÿ&8«ûÿÿ8 8ûÿÿþ#N@#4@( Y( Xþ d8mûÿÿþB XþB 8Uûÿÿþ #£AíR@#ð?( Y( Xþ º(9ûÿÿ&8ûÿÿþ%#w¸Pí3&À#ø?(X( Xþ%8qþ2þþþ4 Ë8Óúÿÿ þE8'"þ5þþþ7 (9¨úÿÿ&8úÿÿÐ( o þ 8úÿÿþþXþþXGR ³8fúÿÿ request_handle: 0x0000000000cc001c	1	1
InternetReadFile Nov. 7, 2023, 6:56 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Øè1h_;_;_;óU;_;Q;_;ó[;_;^;£_;;_;ª¯U;_;[Y;_;Rich_;PELpNdà/n{@Ð<dÀ ø.textln `.rdataX r@@.dataP \|@À.rsrc À ~@@Uì¸è3jSVWj3ÿ[}ü}ô]À}Ôè(Dè,\|ÿÿÿÇEÜ²@ÇEàÂ@ÇE¤²@ÇE¨Â@èq/3ÒXÿÿÿèw9¾XôÿÿVPW½tÿÿÿÿD@;Ç$;ÆÿH@Eì3ÉEìff="u3À;ÏÀÈëf;Çtf= u;ÏtEìëÔpøÿÿPVÿL@;ÇÏ;ÆÇpøÿÿPÿP@EäÿT@ðÁæÿX@3ðÁæÿ\@3ð}øEähp@EpøÿÿPÿ`@pøÿÿPÿP@EpøÿÿÞÇEèHÓâÁëú sÂ0ëÂ7fIIÿMèuápøÿÿfxèjÀ[upøÿÿWPÿ@ÀuWÿ@=·uÿEøÿX@ð}ødaÿÿÿ]üpøÿÿPòÿÿPÿ`@9}üt=¸T@ÀÈÂ¹L@é¸pøÿÿhH@Pÿ@pøÿÿPÿP@EäëªXôÿÿMèû+ÀtÇEô0@]üëoU´M}´}¸èJÀtWU´Mè -Àt]üÇEô@ë>¾MÜÖÿUÜ;Çtÿÿÿu ÇEüë\|ÿÿÿµxÿÿÿhÿÿÿ½pÿÿÿ½lÿÿÿþÿÿè,9}üÿE¤XÿÿÿPEÜPþÿÿèé ;ÇEüÛMÌÿM ÿ9½ÔþÿÿÇE¬@}è}}øcUø3öVþÿÿuÄuÐè)=3EäUøþÿÿ¼EpøÿÿWèí(E¤XÿÿÿPEÜPEÐPEÄPEPEèPE PþÿÿÿuøèS';ÆEü6f97t5ÇÇEðßf8/uf#pøÿÿèÞuðfÇ\ÿEðCCÃf;uÖMøÜþÿÿá¸ÓøMøÁéMðE¼tpøÿÿèéMwSÿP@UÈËøèÄ+}ÈÿuÈE¸¹ø@{PjZè request_handle: 0x0000000000cc0028	1	1
InternetReadFile Nov. 7, 2023, 6:56 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $øº(:¼ÛFi¼ÛFi¼ÛFi/Þi½ÛFiÓØi¨ÛFiÓíiÛFiÓìiÍÛFiµ£Õi¹ÛFi¼ÛGi1ÛFiÓéi½ÛFiÓÜi½ÛFiÓÛi½ÛFiRich¼ÛFiPEL¬Gcà A:Õ~0A@°ÑB¬A<Ày°RBøF@ .text.AA `.dataÈ80AA@À.rsrc°éÀy8A@@AA,ABANAfAxAAªAÀAØAðAAA4AFAVAnAAA¦A¶AÀAØAæAüA A A8 AR An A~ A A¨ A¾ AÐ Aà Aø A!A!A2!AF!AR!Ah!Av!A!A!A²!AÀ!AÒ!Aæ!Aò!A"A"A&"A>"AP"Ab"Av"A"A¢"A¸"AÐ"Aä"Aô"A#A(#A:#AH#A(A(A#A¤#A¼#AÌ#AÜ#Aä#A$A$A0$AH$AT$A`$An$A$A$A¨$Aº$AÆ$AÒ$Aè$Aø$A%A%A6%AD%AP%Ad%Ar%A%A%A¬%AÂ%AÜ%Aö%A&A0&A>&AJ&AX&Af&Ap&A&A &A°&AÊ&AÜ&Að&A'A 'A4'A>'AJ'A\'Ar'A'A'Aª'A¼'AÌ'AÞ'Aò'A (Ar#A2H^&öúy@Ç@»¨@Öê@â[A«@âqA\A¸G@%g@ß~@ß~@zf@¯f@f@genericH@%g@Îf@Ðj@zf@¯f@f@TO@PP@±w@iostreamLH@%g@Îf@ój@zf@¯f@f@systemH@%g@Òf@Ðj@zf@¯f@f@string too longinvalid string positioniostream stream errorÿÿÿÿÿÿÿÿ@L@àR@*èH@xn@C4I@?s@±w@I@?s@±w@ÐI@?s@±w@L@P@±w@ J@¡x@±w@Unknown exception4J@¡x@ request_handle: 0x0000000000cc0080	1	1
InternetReadFile Nov. 7, 2023, 6:56 p.m.	buffer: Ð?tE)!XUÅ?Ð?ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿T@V@ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿ð¿@@@@@@ @"@ð?@@@@@@ @"@ð?@@@@@@ @"@ð?@@&=O8Â7¸ó$B:MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $^ûªÄþÄþÄþl¿þÄþÅþÄþ=\©þÄþ=\¸þÄþ=\¼þÄþRichÄþPEdÕ Rð#à@`,<!PH@0 ð.textò `.rdata\| @@.data,0@À.pdata0@@@.rsrcHP@@HÄHXHhHpWATAUAVAWHìH¸ØùÿÿDñ3ÀAù ¹AÙIðLêóªv ¸WéYE3ÿHD$pE3ÉHD$8HD$hL\|$0HD$(EGAÖIÍL\|$ ÿA;ÇA;ßAïD¤$ÐH¼$HÆDNDVþHD$xHNøHD$PD\|$HD\|$@D\|$8D\|$0D\|$(D\|$ ÿ,A;ÇØFÅÇGüHD$xDgDDHG$HÇ0HÆ;ërLD$hLL$`H$ËÿéA;Çøu4HD$`E3ÉL\|$0HD$(EAAÖIÍL\|$ ÿ³HL$`øÿA;ßv H´$¨HI;ÏtÿsHÆ0HëuèHL$pÿæÇL$I[0Ik8Is@IãA_A^A]A\_ÃÿÅA;Çøu ¿WëÌÌÌH\$Hl$VWATHì0HêñH request_handle: 0x0000000000cc001c	1	1
InternetReadFile Nov. 7, 2023, 6:56 p.m.	buffer: raphicsõuPSR_classesÑuPSR_stdbuPSR_dllNuPSDebugger¹SimpleExpression¬SelLangFormæSetupEntÙRegSvr,UninstSharedFileFormÃUninstallD2009Win2kFixSXPThemeÞSafeDLLPathMZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $IzJ^ $ $ $ % "$ T87 $ [" $ $ $ Rich $ PELÙ\;à# 4ö'0qð.kl)<@/pTÐÄ.text{ `.data\0&@À.rsrc/@0(@@.relocÜpX@BÞ-Â---®-j-X--4-&-F-þ,ð,-n+¢+¸+Ä+Ð+â+ö+ ,\++B,X,n,,,ª,Æ,Ô,$+L+<+ä+ð²ØÂ¢,l*6,²\;Z²\;X²\;ðh²\;X request_handle: 0x0000000000cc001c	1	1
InternetReadFile Nov. 7, 2023, 7:09 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÙvHeàÈ~=È @È@ È@,=ÈO@Èè`È H.textÈ È `.rsrcè@È È@@.reloc`È&È@B`=ÈHl'ÈÀ0(<ÿÇ0_~, (,( ~, (,( ~, (,( ~, (,( ~,~ èZ( ~,rprp( & 8Â~o ~ o ~o ~o (~ , (~ rp( ,( rpo (+)~ r1p( ,( rpo (( ( ( (X ~o ?.ÿÿÿ~&0/s s s o Þ ,o Üo 0(i +i]aÒXi2ç6((+Ò0c ( ~-þs ~(+(+ + i]XX ÿ_(X 2Ø(! 0w{X ÿ_}{{{X ÿ_}{{{({{{{{X ÿ_aÒ03s (}}}þs" (+0 0rKp(# s$ o% t0ª(& o' rcp( ( (( -() o (+ ,(, ,(- `(. ~/ (0 ~o1 o2 o3 Þ/&Þ~4 (0 ~o1 o2 o3 Þ& Þ* *R'y%\|%¡%0\ r1p rmp(5 s6 rçpo7 rpo7 rpo7 rYpo7 rcpo7 s6 rcpo7 rcpo7 rcpo7 rcpo7 rcpo7 s6 rspo7 rspo7 rspo7 rspo7 rspo7 s6 (8 o7 (8 o7 (8 o7 (8 o7 ( request_handle: 0x0000000000cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00475a00', u'virtual_address': u'0x0057c000', u'entropy': 7.967339494400974, u'name': u'.@**..--', u'virtual_size': u'0x00475978'}

entropy

7.9673394944

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00022600', u'virtual_address': u'0x009f4000', u'entropy': 7.691253209357137, u'name': u'.rsrc', u'virtual_size': u'0x0003094e'}

entropy

7.69125320936

description

A section with a high entropy has been found

entropy

0.998090388288

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 7, 2023, 7:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 7, 2023, 7:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 7, 2023, 7:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (2 events)

process	www14_64.exe
process	mnzijhirqvkfyvrhohxvotk3.exe

Yara rule detected in process memory (23 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: AddressBook base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Connection Manager base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: EditPlus base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Fontcore base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Google Chrome base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: IE40 base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: IE4Data base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: IEData base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: WIC base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000520 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000480 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: AddressBook base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Connection Manager base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: EditPlus base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Fontcore base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Google Chrome base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: IE40 base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 7, 2023, 7:09 p.m.	regkey_r: IE4Data base_handle: 0x00000480 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2244 CREDAT:145409

Communicates with host for which no DNS query was performed (9 events)

host	185.172.128.69
host	194.169.175.235
host	194.33.191.60
host	194.49.94.72
host	194.49.94.77
host	208.67.104.60
host	45.15.156.229
host	91.92.243.151
host	94.142.138.131

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 7, 2023, 7:09 p.m.	process_identifier: 4044 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Nov. 7, 2023, 7:09 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Nov. 7, 2023, 7:09 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Drops a binary and executes it (11 events)

file	C:\Users\test22\Pictures\Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe
file	C:\Users\test22\Pictures\Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe
file	C:\Users\test22\Pictures\Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe
file	C:\Users\test22\Pictures\Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe
file	C:\Users\test22\AppData\Local\Temp\7z24C3188C\ul7A.CMd
file	C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\kos4.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 7, 2023, 7:09 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4044 process_handle: 0x00000080	1	1	0

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x0000051c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 7, 2023, 7:09 p.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Network activity contains more than one unique useragent (2 events)

process	WWW14_64.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3728 called NtSetContextThread to modify thread in remote process 4044
NtSetContextThread Nov. 7, 2023, 7:09 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 4044	1	0	0

Drops 125 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 125 events)

file	C:\Windows\Prefetch\SDIAGNHOST.EXE-8D72177C.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\PERSOM-1107[1].bmp
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-7BCB21A1.pf
file	C:\Windows\Prefetch\INJECT-X64.EXE-AAEEB6EB.pf
file	C:\Windows\Prefetch\Layout.ini
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\SETUP.EXE-A9A86358.pf
file	C:\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-CF79EE4C.pf
file	C:\Windows\Prefetch\KOS4.EXE-CD99D1A2.pf
file	C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\32ssh7832haf[1].bmp
file	C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
file	C:\Windows\Prefetch\INSTALLSETUP5.EXE-6CAE54AE.pf
file	C:\Windows\Prefetch\PW.EXE-1D40DDAD.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\uglified_jindo[1].js
file	C:\Windows\Prefetch\ReadyBoot\Trace9.fx
file	C:\Windows\Prefetch\SETUP-STUB.EXE-8F842224.pf
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\SHVKRILYCV_1AFAKNQPZZGUL.EXE-B2DDA4A8.pf
file	C:\Windows\Prefetch\MSIEXEC.EXE-A2D55CB6.pf
file	C:\Windows\Prefetch\REGSVR32.EXE-8461DBEE.pf
file	C:\Windows\Prefetch\ReadyBoot\Trace1.fx
file	C:\Windows\Prefetch\LATESTX.EXE-BFF22BBE.pf
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Windows\Prefetch\DEFAULT-BROWSER-AGENT.EXE-01C82E17.pf
file	C:\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-007FEA55.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\E0CBEFCB1AF40C7D4AFF4ACA26621-98ADCF8A.pf
file	C:\Windows\Prefetch\ReadyBoot\Trace8.fx
file	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-5901D5E8.pf
file	C:\Windows\Prefetch\MMC.EXE-561C5A40.pf
file	C:\Windows\Prefetch\INJECT-X86.EXE-6FB1ED76.pf
file	C:\Windows\Prefetch\MNZIJHIRQVKFYVRHOHXVOTK3.EXE-8164D793.pf
file	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 1014 events)

file	C:\Users\test22\AppData\Local\Temp\7z24C3188C\ul7A.CMd
file	C:\Users\test22\AppData\Local\Temp\7z24C3188C\9u_.CpL
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[10].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[3].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\013[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\sprite-20210713@2x[2].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\7028d2d448816aeaab0e_20211029092933036[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\spr_lft_white_150916[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Users\test22\AppData\Local\Temp\outlook logging\firstrun.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\m_920_294_0729[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_196x196_38699317823237099[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\e84a7e15-e6a9-41ec-9eb7-883e9b5e7249[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\348acc74d7ad9acbdda7_20211101182838273[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\1_237[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\favicon[3].png
file	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[9].jpg
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\bootstrap.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-1.12.4.min_v1[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\w[1].css
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\proximanova-bold-webfont[1].eot
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\icon_spacer-vflN3BYt2[1].gif
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3a7f4c4cb962a54fae75_20200728093632144[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\cropImg_728x360_77691188554226350[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\8c9b6e5b-4abb-45c6-9aa7-aa28806e8e84[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\adf7905c-28ea-4ddf-93b2-aa96dad57752[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\977[1].png
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\015[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAR5WT7S.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\smart_editor2.me.min.200716[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[3].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\nsd13728808[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\327[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\sample-doc-download[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\images[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f1e83251-9248-4d4e-8d2e-d1505a55bc83[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\3de5642a-2629-4625-9a63-d96768537b11[1].jpg

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2784 resumed a thread in remote process 1380
Process injection	Process 2244 resumed a thread in remote process 2068
Process injection	Process 3728 resumed a thread in remote process 4044
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 1380	1	0	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2068	1	0	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 4044	1	0	0

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Disables Windows Security features (20 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{59EA7BF2-0B33-4E6B-995D-4A6EA5B29EF9}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93225D21-BCBA-40BF-842E-C1282A1EAEAC}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

Executed a process and injected code into it, probably while unpacking (50 out of 116 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 7, 2023, 6:56 p.m.	thread_handle: 0x00000000000003b4 suspend_count: 1 process_identifier: 2676	1	0
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2228 thread_handle: 0x00000000000008d8 process_identifier: 2224 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\rw90YVhZMPemeYQdRA2001Fn.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\rw90YVhZMPemeYQdRA2001Fn.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\rw90YVhZMPemeYQdRA2001Fn.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000008e4	1	1
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2196 thread_handle: 0x000000000000088c process_identifier: 2188 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\52oB2Wye5oshKFFiEPt9HcBJ.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\52oB2Wye5oshKFFiEPt9HcBJ.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\52oB2Wye5oshKFFiEPt9HcBJ.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000007e0	1	1
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2216 thread_handle: 0x00000000000007c8 process_identifier: 2256 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\WJ_BGqn1aegCCsabvg5JZP1c.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\WJ_BGqn1aegCCsabvg5JZP1c.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\WJ_BGqn1aegCCsabvg5JZP1c.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000082c	1	1
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2260 thread_handle: 0x00000000000008a8 process_identifier: 2212 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\L03QtA_eoQSXVxOFXCwW2RRG.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\L03QtA_eoQSXVxOFXCwW2RRG.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\L03QtA_eoQSXVxOFXCwW2RRG.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000904	1	1
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2692 thread_handle: 0x0000000000000a28 process_identifier: 2656 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\wKzMvEM3v8T4vaiDp67ushwj.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000a68	1	1
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2688 thread_handle: 0x0000000000000a60 process_identifier: 2696 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\VneSnp3_ukQr2DpIFzFJmPqn.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000a78	1	1
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2712 thread_handle: 0x0000000000000aa4 process_identifier: 2708 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\mnzijhIRqVkfyvRhOhxVOtK3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000074c	1	1
CreateProcessInternalW Nov. 7, 2023, 6:57 p.m.	thread_identifier: 2728 thread_handle: 0x0000000000000ad4 process_identifier: 2456 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\KIgIybt5WVZFqpet46xtKWqC.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000ae0	1	1
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2224	1	0
CreateProcessInternalW Nov. 7, 2023, 7:08 p.m.	thread_identifier: 2796 thread_handle: 0x00000270 process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp\7z24C3188C filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\7z24C3188C\ul7A.CMd" filepath_r: stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000264	1	1
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x0000045c suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000474 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004d4 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000514 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:08 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000478 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004b0 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x0000053c suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Nov. 7, 2023, 7:09 p.m.	thread_handle: 0x000005b8 suspend_count: 1 process_identifier: 2656	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49163
dead_host	208.67.104.60:80

WWW14_64.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All