Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 7:55 a.m.	Dec. 14, 2023, 8:04 a.m.

Size	4.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`db9836afc44b9a8fd086abd3e882524e`
SHA256	`be07b7c16e488ad2e0fdf1348f2d0915cdc50337b32711b7fcd8a42413ad8a29`
CRC32	`A112E03E`
ssdeep	`49152:Kfx0e/q1Z19+Ala8MISsCsErVSww1IaDUsJsojOP51UVXogeUSFaYjK6P9hL:oi2ZyN4Q1IaDBBjSLUVXZehX79h`
PDB Path	cassette_tapes_goodie_bag.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
444
- RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2436
  - innkmiukfdgrakq.exe "C:\Users\test22\AppData\Local\Temp\innkmiukfdgrakq.exe"
    2632
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\s214.0.bat" "
      2732
      - timeout.exe timeout 3
        2792
      - XRJNZC.exe "C:\ProgramData\pinterests\XRJNZC.exe"
        2904
        
        schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
        3052
  - cwdeprxrvlonbdrjec.exe "C:\Users\test22\AppData\Local\Temp\cwdeprxrvlonbdrjec.exe"
    2676
  - wgkpgkairhk.exe "C:\Users\test22\AppData\Local\Temp\wgkpgkairhk.exe"
    2828
    - Utsysc.exe "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
      1836
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
        2488
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
        1284
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
        2160
        
        netsh.exe netsh wlan show profiles
        2708
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
        2916
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
gatelistcoldyeisa.pw	A 104.21.7.219 A 172.67.188.16	104.21.7.219

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.188.16	Active	Moloch
185.172.128.5	Active	Moloch
185.172.128.8	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49175 -> 172.67.188.16:80	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49177 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49165 -> 172.67.188.16:80	2048093	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49165 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49179 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49169 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49182 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49172 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49176 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49187 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49170 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49181 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49166 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49180 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49174 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49184 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49186 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49185 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49193 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49194 -> 185.172.128.8:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 185.172.128.8:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49190 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 185.172.128.8:80 -> 192.168.56.103:49194	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49171 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49173 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 185.172.128.8:80 -> 192.168.56.103:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.8:80 -> 192.168.56.103:49194	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49192 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49178 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49183 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49189 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49191 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49198 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49201 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49202 -> 172.67.188.16:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity
TCP 192.168.56.103:49194 -> 185.172.128.8:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 185.172.128.8:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 185.172.128.8:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 185.172.128.8:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 185.172.128.5:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.172.128.5:80 -> 192.168.56.103:49210	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.5:80 -> 192.168.56.103:49210	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49212 -> 185.172.128.5:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49210 -> 185.172.128.5:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Dec. 14, 2023, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 7:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 14, 2023, 7:55 a.m.			0	0
IsDebuggerPresent Dec. 14, 2023, 7:55 a.m.			0	0
IsDebuggerPresent Dec. 14, 2023, 7:49 a.m.			0	0
IsDebuggerPresent Dec. 14, 2023, 7:57 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 14, 2023, 7:56 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 14, 2023, 7:56 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\s214.2 console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 14, 2023, 7:56 a.m.	buffer: SUCCESS: The scheduled task "XRJNZC" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 7:56 a.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 14, 2023, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

cassette_tapes_goodie_bag.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2023, 7:55 a.m.		1	1	0

One or more processes crashed (50 out of 65557 events)

Time & API	Arguments	Status
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x778ce688 RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x778ce65f EtwEventRegister+0x17f EtwRegisterTraceGuidsW-0xa ntdll+0x3f839 @ 0x778df839 LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x778d02ea LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x778d01c2 New_ntdll_LdrGetProcedureAddress@16+0xcd New_ntdll_LdrLoadDll@16-0x87 @ 0x7466d3cd GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x755a11c4 CreateAssemblyNameObject+0xe4d1 GetMetaDataInternalInterface-0x29f9e clr+0x3b96a @ 0x73f6b96a CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x73f59a44 CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x73f5998d CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x73f59899 CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x73f59832 DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73f4bcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73f32ae9 system+0x1ca9e1 @ 0x711ea9e1 system+0x75b20d @ 0x7177b20d 0xb8110a system+0x1f9799 @ 0x71219799 system+0x1f92c8 @ 0x712192c8 system+0x1eca74 @ 0x7120ca74 system+0x1ec868 @ 0x7120c868 system+0x1f82b8 @ 0x712182b8 system+0x1ee54d @ 0x7120e54d system+0x1f70ea @ 0x712170ea system+0x1e56c0 @ 0x712056c0 system+0x1f8215 @ 0x71218215 system+0x1f6f75 @ 0x71216f75 system+0x1ee251 @ 0x7120e251 system+0x1ee229 @ 0x7120e229 system+0x1ee170 @ 0x7120e170 0x54a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a system+0x1ebc85 @ 0x7120bc85 system+0x1f683b @ 0x7121683b system+0x1a5e44 @ 0x711c5e44 system+0x1fd8a0 @ 0x7121d8a0 system+0x1fd792 @ 0x7121d792 system+0x1a14bd @ 0x711c14bd 0xb8008e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2155460 registers.edi: 82108416 registers.eax: 0 registers.ebp: 2155512 registers.edx: 82108424 registers.ebx: 82108424 registers.esi: 518956009 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 CoUninitializeEE+0x9bdc CreateAssemblyNameObject-0x4079 clr+0x29420 @ 0x73f59420 GetPrivateContextsPerfCounters+0x10ed DllGetActivationFactoryImpl-0x13778 clr+0x8906f @ 0x73fb906f mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x778ce688 RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x778ce65f EtwEventRegister+0x17f EtwRegisterTraceGuidsW-0xa ntdll+0x3f839 @ 0x778df839 LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x778d02ea LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x778d01c2 New_ntdll_LdrGetProcedureAddress@16+0xcd New_ntdll_LdrLoadDll@16-0x87 @ 0x7466d3cd GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x755a11c4 CreateAssemblyNameObject+0xe4d1 GetMetaDataInternalInterface-0x29f9e clr+0x3b96a @ 0x73f6b96a CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x73f59a44 CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x73f5998d CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x73f59899 CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x73f59832 DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73f4bcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73f32ae9 system+0x1ca9e1 @ 0x711ea9e1 system+0x75b20d @ 0x7177b20d 0xb8110a system+0x1f9799 @ 0x71219799 system+0x1f92c8 @ 0x712192c8 system+0x1eca74 @ 0x7120ca74 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2150312 registers.edi: 82106768 registers.eax: 4473968 registers.ebp: 2150364 registers.edx: 82106776 registers.ebx: 82106776 registers.esi: 514515115 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 RtlFreeSid+0x1b RtlAllocateAndInitializeSid-0x15 ntdll+0x393cd @ 0x778d93cd GetComputerNameA+0xa84 GetFileInformationByHandleEx-0x62b kernel32+0x2c164 @ 0x7580c164 GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x7580c1cf GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x7580c191 MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x757f4ca4 RegOpenKeyExW+0xf6 LocalFree-0x935 kernel32+0x12407 @ 0x757f2407 RegOpenKeyExW+0x21 LocalFree-0xa0a kernel32+0x12332 @ 0x757f2332 New_advapi32_RegOpenKeyExW@20+0x4f New_advapi32_RegQueryInfoKeyA@48-0x173 @ 0x74663ca1 CreateAssemblyNameObject+0xc283 GetMetaDataInternalInterface-0x2c1ec clr+0x3971c @ 0x73f6971c StrongNameSignatureVerification+0x9a32 GetMetaDataPublicInterfaceFromInternal-0x1e1e clr+0x1934e8 @ 0x740c34e8 StrongNameSignatureVerification+0x9bcc GetMetaDataPublicInterfaceFromInternal-0x1c84 clr+0x193682 @ 0x740c3682 GetMetaDataPublicInterfaceFromInternal+0x641 CopyPDBs-0x2fb clr+0x195947 @ 0x740c5947 GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x740c5b56 GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x740c5543 StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x740c1e51 StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x740c2004 mscorlib+0x355147 @ 0x72915147 mscorlib+0x985c14 @ 0x72f45c14 mscorlib+0x9b45cf @ 0x72f745cf mscorlib+0xd224c1 @ 0x732e24c1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 CoUninitializeEE+0x9bdc CreateAssemblyNameObject-0x4079 clr+0x29420 @ 0x73f59420 GetPrivateContextsPerfCounters+0x10ed DllGetActivationFactoryImpl-0x13778 clr+0x8906f @ 0x73fb906f mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2142152 registers.edi: 82156048 registers.eax: 0 registers.ebp: 2142204 registers.edx: 82156056 registers.ebx: 82156056 registers.esi: 518950059 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 RtlFreeSid+0x1b RtlAllocateAndInitializeSid-0x15 ntdll+0x393cd @ 0x778d93cd GetComputerNameA+0xa84 GetFileInformationByHandleEx-0x62b kernel32+0x2c164 @ 0x7580c164 GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x7580c1cf GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x7580c191 MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x757f4ca4 RegOpenKeyExW+0xf6 LocalFree-0x935 kernel32+0x12407 @ 0x757f2407 RegOpenKeyExW+0x21 LocalFree-0xa0a kernel32+0x12332 @ 0x757f2332 New_advapi32_RegOpenKeyExW@20+0x4f New_advapi32_RegQueryInfoKeyA@48-0x173 @ 0x74663ca1 CreateAssemblyNameObject+0xc283 GetMetaDataInternalInterface-0x2c1ec clr+0x3971c @ 0x73f6971c StrongNameSignatureVerification+0x9a32 GetMetaDataPublicInterfaceFromInternal-0x1e1e clr+0x1934e8 @ 0x740c34e8 StrongNameSignatureVerification+0x9bcc GetMetaDataPublicInterfaceFromInternal-0x1c84 clr+0x193682 @ 0x740c3682 GetMetaDataPublicInterfaceFromInternal+0x641 CopyPDBs-0x2fb clr+0x195947 @ 0x740c5947 GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x740c5b56 GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x740c5543 StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x740c1e51 StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x740c2004 mscorlib+0x355147 @ 0x72915147 mscorlib+0x985c14 @ 0x72f45c14 mscorlib+0x9b45cf @ 0x72f745cf mscorlib+0xd224c1 @ 0x732e24c1 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2136792 registers.edi: 82106768 registers.eax: 4473968 registers.ebp: 2136844 registers.edx: 82106776 registers.ebx: 82106776 registers.esi: 514515115 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2131432 registers.edi: 82343160 registers.eax: 76138801 registers.ebp: 2131484 registers.edx: 82343168 registers.ebx: 82343168 registers.esi: 442955847 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2126072 registers.edi: 82106800 registers.eax: 4140272 registers.ebp: 2126124 registers.edx: 82106808 registers.ebx: 82106808 registers.esi: 517048367 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2120712 registers.edi: 82566912 registers.eax: 4294895757 registers.ebp: 2120764 registers.edx: 82566920 registers.ebx: 82566920 registers.esi: 3776031876 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2115352 registers.edi: 82388400 registers.eax: 4051747208 registers.ebp: 2115404 registers.edx: 82388408 registers.ebx: 82388408 registers.esi: 4017085143 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2109992 registers.edi: 82191024 registers.eax: 3896345380 registers.ebp: 2110044 registers.edx: 82191032 registers.ebx: 82191032 registers.esi: 4141054107 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2104632 registers.edi: 82379272 registers.eax: 4294017217 registers.ebp: 2104684 registers.edx: 82379280 registers.ebx: 82379280 registers.esi: 3776880489 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2099272 registers.edi: 82123568 registers.eax: 1946445860 registers.ebp: 2099324 registers.edx: 82123576 registers.ebx: 82123576 registers.esi: 1793782955 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2093912 registers.edi: 82318960 registers.eax: 16773760 registers.ebp: 2093964 registers.edx: 82318968 registers.ebx: 82318968 registers.esi: 504418215 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2088552 registers.edi: 82110624 registers.eax: 0 registers.ebp: 2088604 registers.edx: 82110632 registers.ebx: 82110632 registers.esi: 518955773 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2083192 registers.edi: 82106768 registers.eax: 4473968 registers.ebp: 2083244 registers.edx: 82106776 registers.ebx: 82106776 registers.esi: 514515115 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e mscorlib+0x2fcd8c @ 0x728bcd8c mscorlib+0x2fcd0b @ 0x728bcd0b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74055713 DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740557d5 mscorlib+0x9bc1c8 @ 0x72f7c1c8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740018ed DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74001bfd CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74153553 LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74108a42 DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74054e95 DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74054dd8 RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7467482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f32170 DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f32195 DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f321a6 GetPrivateContextsPerfCounters+0xf4 DllGetActivationFactoryImpl-0x14771 clr+0x88076 @ 0x73fb8076 GetPrivateContextsPerfCounters+0x10c5 DllGetActivationFactoryImpl-0x137a0 clr+0x89047 @ 0x73fb9047 mscorlib+0x2d866e @ 0x7289866e mscorlib+0x2d85ca @ 0x728985ca mscorlib+0x2d7e2a @ 0x72897e2a mscorlib+0x2d79ea @ 0x728979ea mscorlib+0x2d74ff @ 0x728974ff mscorlib+0x2d71c3 @ 0x728971c3 mscorlib+0x2d6c3c @ 0x72896c3c mscorlib+0x2fcfb1 @ 0x728bcfb1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f49dd2 DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7402db84 DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7402dc8f mscorlib+0x2fce7e @ 0x728bce7e exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x778ce39e registers.esp: 2077832 registers.edi: 82343160 registers.eax: 76138801 registers.ebp: 2077884 registers.edx: 82343168 registers.ebx: 82343168 registers.esi: 442955847 registers.ecx: 4128768	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: innkmiukfdgrakq+0x4a1acc @ 0x16c1acc innkmiukfdgrakq+0x4a1b7b @ 0x16c1b7b exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 43 85 f9 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3865148 registers.edi: 20021248 registers.eax: 3865148 registers.ebp: 3865228 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 2006021163 registers.ecx: 3672375296	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 ea b6 e5 ff exception.symbol: innkmiukfdgrakq+0x4bd210 exception.instruction: in eax, dx exception.module: innkmiukfdgrakq.exe exception.exception_code: 0xc0000096 exception.offset: 4968976 exception.address: 0x16dd210 registers.esp: 3865268 registers.edi: 22241738 registers.eax: 1750617430 registers.ebp: 20021248 registers.edx: 5593174 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: innkmiukfdgrakq+0x4bd284 exception.instruction: in eax, dx exception.module: innkmiukfdgrakq.exe exception.exception_code: 0xc0000096 exception.offset: 4969092 exception.address: 0x16dd284 registers.esp: 3865268 registers.edi: 22241738 registers.eax: 1447909480 registers.ebp: 20021248 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d cwdeprxrvlonbdrjec+0x2dbf9f @ 0x13f75bf9f 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x4001000a exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1
__exception__ Dec. 14, 2023, 7:49 a.m.	stacktrace: 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a 0x4001000a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4001000a registers.r14: 1996279568 registers.r15: 0 registers.rcx: 5697856 registers.rsi: 0 registers.r10: 5359648822 registers.rbx: 0 registers.rsp: 5699624 registers.r11: 5699472 registers.r8: 0 registers.r9: 0 registers.rdx: 224 registers.r12: 5359570281 registers.rbp: 5699696 registers.rdi: 5359648272 registers.rax: 1999309281 registers.r13: 6585168	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://gatelistcoldyeisa.pw/api
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.8/cp.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.8/ma.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.8/ama.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.5/v8sjh3hs8/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.5/v8sjh3hs8/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.5/v8sjh3hs8/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.5/v8sjh3hs8/Plugins/clip64.dll

Performs some HTTP requests (8 events)

request	POST http://gatelistcoldyeisa.pw/api
request	GET http://185.172.128.8/cp.exe
request	GET http://185.172.128.8/ma.exe
request	GET http://185.172.128.8/ama.exe
request	POST http://185.172.128.5/v8sjh3hs8/index.php
request	POST http://185.172.128.5/v8sjh3hs8/index.php?scr=1
request	GET http://185.172.128.5/v8sjh3hs8/Plugins/cred64.dll
request	GET http://185.172.128.5/v8sjh3hs8/Plugins/clip64.dll

Sends data using the HTTP POST Method (3 events)

request	POST http://gatelistcoldyeisa.pw/api
request	POST http://185.172.128.5/v8sjh3hs8/index.php
request	POST http://185.172.128.5/v8sjh3hs8/index.php?scr=1

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

gatelistcoldyeisa.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 372 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 80 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file	C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll
file	C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\innkmiukfdgrakq.exe
file	C:\Users\test22\AppData\Local\Temp\cwdeprxrvlonbdrjec.exe
file	C:\ProgramData\pinterests\XRJNZC.exe
file	C:\Users\test22\AppData\Local\Temp\s214.0.bat
file	C:\Users\test22\AppData\Local\Temp\wgkpgkairhk.exe

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\innkmiukfdgrakq.exe
file	C:\Users\test22\AppData\Local\Temp\cwdeprxrvlonbdrjec.exe
file	C:\Users\test22\AppData\Local\Temp\s214.0.bat
file	C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file	C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\innkmiukfdgrakq.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Dec. 14, 2023, 7:56 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\s214.0.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\s214.0.bat	1	1
ShellExecuteExW Dec. 14, 2023, 7:56 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe	1	1
ShellExecuteExW Dec. 14, 2023, 7:56 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f filepath: schtasks.exe	1	1
ShellExecuteExW Dec. 14, 2023, 7:56 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Dec. 14, 2023, 7:56 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Dec. 14, 2023, 7:57 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main filepath: rundll32.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (11 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e4 process_name: pw.exe process_identifier: 760	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e4 process_name: taskhost.exe process_identifier: 800	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e4 process_name: SearchProtocolHost.exe process_identifier: 300	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e4 process_name: svchost.exe process_identifier: 2260	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e4 process_name: mscorsvw.exe process_identifier: 2288	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e4 process_name: RegSvcs.exe process_identifier: 2436	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: cmd.exe process_identifier: 2564	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: conhost.exe process_identifier: 2572	1	1
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: pw.exe process_identifier: 2596	1	1
Process32NextW Dec. 14, 2023, 7:49 a.m.	snapshot_handle: 0x0000000000000128 process_name: XRJNZC.exe process_identifier: 2904	1	1
Process32NextW Dec. 14, 2023, 7:49 a.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2160	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00240000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process utsysc.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 14, 2023, 7:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $1óM#u#pu#pu#p.ú'qg#p.ú q~#p.ú&qÅ#p ÿ&q3#p ÿ'qz#p ÿ q\|#p.ú"qx#pu"p´#pîüqq#pîü#qt#pîüÜpt#pîü!qt#pRichu#pPEdÄqeð" \H±À` !Xx!øÐ¬ àÀ7p08pè.textøZ\ `.rdataâÅpÆ`@@.dataL@B&@À.pdata¬Ð®h@@_RDATA@@.rsrcø@@.relocà @BHì(A¸ HgH à[èËH $HÄ(é¯ÌÌÌHì(A¸ H_H pbèSËH L$HÄ(éÌÌÌHì(A¸HSH @cè#ËH $HÄ(éOÌÌÌHì(A¸ H/H Ð\èóÊH Ì$HÄ(éÌÌÌHì(A¸H'H aèÃÊH %HÄ(éïÌÌÌHì(A¸HH 0ZèÊH L%HÄ(é¿ÌÌÌHì(E3ÀHoH #bèfÊH %HÄ(éÌÌÌÌÌÌHì(E3ÀHRoH bè6ÊH Ï%HÄ(ébÌÌÌÌÌÌHì(E3ÀH"oH \èÊH &HÄ(é2ÌÌÌÌÌÌHì(E3ÀHònH óXèÖÉH O&HÄ(éÌÌÌÌÌÌHì(A¸H? H ÀYè£ÉH &HÄ(éÏÌÌÌHì(A¸H H eèsÉH Ì&HÄ(éÌÌÌHì(A¸HÿH À`èCÉH 'HÄ(éoÌÌÌHì(A¸HßH pWèÉH L'HÄ(é?ÌÌÌHì(A¸H¿H `ZèãÈH 'HÄ(éÌÌÌHì(A¸H¯H ]è³ÈH Ì'HÄ(éßÌÌÌHì(A¸HH ]èÈH (HÄ(é¯ÌÌÌHì(A¸HkH 0[èSÈH L(HÄ(éÌÌÌHì(A¸HGH `\è#ÈH (HÄ(éOÌÌÌHì(A¸H/H °^èóÇH Ì(HÄ(éÌÌÌHì(A¸HH `_èÃÇH )HÄ(éïÌÌÌHì(A¸LHïH ZèÇH L)HÄ(é¿ÌÌÌHì(A¸HH `VècÇH )HÄ(éÌÌÌHì(A¸dHÿH pbè3ÇH Ì)HÄ(é_ÌÌÌHì(A¸H7H _èÇH HÄ(é/ÌÌÌHì(A¸HH ð\èÓÆH LHÄ(éÿÌÌÌHì(A¸HH àUè£ÆH HÄ(éÏÌÌÌHì(A¸HïH °]èsÆH Ì*HÄ(éÌÌÌHì(A¸(HÏH \èCÆH +HÄ(éoÌÌÌHì(A¸HÏH Ð_èÆH L+HÄ(é?ÌÌÌHì(A¸H¯H bèãÅH +HÄ(éÌÌÌHì(A¸HH ]è³ÅH Ì+HÄ(éßÌÌÌHì(A¸HoH _èÅH ,HÄ(é¯ÌÌÌHì(A¸H_H YèSÅH L,HÄ(éÌÌÌHì(A¸,H?H @Zè#ÅH ,HÄ(éOÌÌÌHì(A¸H?H ÐXèóÄH Ì,HÄ(éÌÌÌHì(A¸H/H ]èÃÄH -HÄ(éïÌÌÌHì(A¸$HH Ð^èÄH L-HÄ(é¿ÌÌÌHì(A¸HH @ZècÄH -HÄ(éÌÌÌHì(A¸Hï H pRè3ÄH Ì-HÄ(é_ÌÌÌHì(A¸Hß H ZèÄH .HÄ(é/ÌÌÌHì(A¸HÏ H VèÓÃH L.HÄ(éÿÌÌÌHì(A¸ H¯ H [è£ÃH .HÄ(éÏÌÌÌHì(A¸ H§ H 0XèsÃH Ì.HÄ(éÌÌÌHì(A¸H? H àSèCÃH /HÄ(éoÌÌÌHì(A¸Ho H 0WèÃH L/HÄ(é?ÌÌÌHì(A¸HW H SèãÂH /HÄ(éÌÌÌHì(A¸H7 H P]è³ÂH Ì/HÄ(éßÌÌÌHì(A¸LHßH ÀWèÂH 0HÄ(é¯ÌÌÌHì(A¸Hç H ÐWèSÂH L0HÄ(éÌÌÌHì(A¸dHïH Xè#ÂH 0HÄ(éOÌÌÌHì(A¸H H P]èóÁH Ì0HÄ(éÌÌÌHì(A¸H H À[èÃÁH 1HÄ(éïÌÌÌHì(A¸Hg H WèÁH L1HÄ(é¿ÌÌÌHì(A¸HG H SècÁH 1HÄ(éÌÌÌHì(A¸H H p]è3ÁH Ì1HÄ(é_ÌÌÌHì(A¸H÷H VèÁH 2HÄ(é/ÌÌÌHì(A¸HÏH pTèÓÀH L2HÄ(éÿÌÌÌHì(A¸H¯H ÀQè£ÀH 2HÄ(éÏÌÌÌHì(A¸HH NèsÀH Ì2HÄ(éÌÌÌHì(A¸HH @WèCÀH 3HÄ(éoÌÌÌHì(A¸0H_H Ð[èÀH L3HÄ(é?ÌÌÌHì(A¸HgH À[èã¿H 3HÄ(éÌÌÌHì(A¸HGH p\è³¿H Ì3HÄ(éßÌÌÌ request_handle: 0x00cc000c	1	1	0
InternetReadFile Dec. 14, 2023, 7:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELÄqeà!!g à@°zL{P°øÀÀo8øo@ H.textV `.rdata°b d@@.datav@À.rsrcø°@@.relocÀ@Bj hèl¹pèßHhèSYÃÌÌÌj hm¹è¿Hh`èSYÃÌÌÌjh0m¹ èHhÀèmSYÃÌÌÌjhHm¹¸èHh èMSYÃÌÌÌjhem¹Ðè_Hhè-SYÃÌÌÌjhem¹èè?Hhàè SYÃÌÌÌjhem¹èHh@èíRYÃÌÌÌjhem¹èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèRYÃÌÌÌÌj?hðm¹xè¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌhè.RYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèb[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!Pè[ÄöEtjVèLNÄÆ^]ÂAÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhzEôPè;[ÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèRZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hhmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèEjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPè§DMüE9MÇE¬BM}QCEMPÇE°ÆEèvD}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè«jMÄ3uÀÄÆëÆE¼Mäÿu¼SèG}E°ør+HÇùrüÁ#+ÇÀüøQWèXKÄUúr,MBÁúrIüÂ#+ÁÀüødRQè$KÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQèJEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèDJÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèþIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQè¸IÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhemÇCÇCÆèÝAUúr(MBÁúrIüÂ#+ÁÀüøwbRQè"IÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèÓHÄ_^Ã[å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVhem3ÛèAÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèÆAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèµGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèBGÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQèGÄÿtuøéoþÿÿ_^[å]ÃèmÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèÞ>Eà×PMÈè@ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè FÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQè§EÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèeEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè=}EÿuCE¹0Pè=5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x003fce00', u'virtual_address': u'0x00002000', u'entropy': 7.342483080993523, u'name': u'.text', u'virtual_size': u'0x003fcdc4'}

entropy

7.34248308099

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00013400', u'virtual_address': u'0x00400000', u'entropy': 7.04556050226003, u'name': u'.rsrc', u'virtual_size': u'0x00013230'}

entropy

7.04556050226

description

A section with a high entropy has been found

entropy

0.999879836578

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (10 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e8 process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e8 process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e8 process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e8 process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x0000015c process_name: pw.exe process_identifier: 2596		0	0
Process32NextW Dec. 14, 2023, 7:56 a.m.	snapshot_handle: 0x000000e8 process_name: pw.exe process_identifier: 2596		0	0

Yara rule detected in process memory (42 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000788 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000784 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
cmdline	"C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
cmdline	netsh wlan show profiles
cmdline	C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: d239ca1fe57c327b35ffab466ace400389919e3c
buffer	Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41

Communicates with host for which no DNS query was performed (2 events)

host	185.172.128.5
host	185.172.128.8

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 2436 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known windows from debuggers and forensic tools (24 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 14, 2023, 7:56 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F

Attempts to access Bitcoin/ALTCoin wallets (3 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\wallets
file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Creates an executable file in a user folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\cwdeprxrvlonbdrjec.exe
file	C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (17 events)

file	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.purple\accounts.xml
file	C:\Windows\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\ProgramData\pinterests\.purple\accounts.xml
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELûeeàdfØ@@8ÿt~À¨ä.text5cd `.rdataÔh@@.dataS Tú@À.reloct~N@B base_address: 0x00400000 process_identifier: 2436 process_handle: 0x000002b0	1	1	0
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2436 process_handle: 0x000002b0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELûeeàdfØ@@8ÿt~À¨ä.text5cd `.rdataÔh@@.dataS Tú@À.reloct~N@B base_address: 0x00400000 process_identifier: 2436 process_handle: 0x000002b0	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 7:56 a.m.	key_handle: 0x00000784 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 444 called NtSetContextThread to modify thread in remote process 2436
NtSetContextThread Dec. 14, 2023, 7:56 a.m.	registers.eip: 2005598660 registers.esp: 1703444 registers.edi: 0 registers.eax: 4511900 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2436	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 444 resumed a thread in remote process 2436
Process injection	Process 2732 resumed a thread in remote process 2904
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2436	1	0	0
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2904	1	0	0

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ Dec. 14, 2023, 7:49 a.m.	tid: 2680 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 14, 2023, 7:56 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 14, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: innkmiukfdgrakq+0x4bd284 exception.instruction: in eax, dx exception.module: innkmiukfdgrakq.exe exception.exception_code: 0xc0000096 exception.offset: 4969092 exception.address: 0x16dd284 registers.esp: 3865268 registers.edi: 22241738 registers.eax: 1447909480 registers.ebp: 20021248 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

Executed a process and injected code into it, probably while unpacking (40 events)

Time & API	Arguments	Status	Return
NtResumeThread Dec. 14, 2023, 7:55 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 444	1	0
NtResumeThread Dec. 14, 2023, 7:55 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 444	1	0
NtResumeThread Dec. 14, 2023, 7:55 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 444	1	0
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 444	1	0
NtGetContextThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 444	1	0
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2440 thread_handle: 0x000002ac process_identifier: 2436 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe filepath_r: stack_pivoted: 0 creation_flags: 564 (CREATE_NEW_CONSOLE\|CREATE_NEW_PROCESS_GROUP\|CREATE_SUSPENDED\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtUnmapViewOfSection Dec. 14, 2023, 7:56 a.m.	base_address: 0x00400000 region_size: 16318464 process_identifier: 2436 process_handle: 0x000002b0		3221225497
NtAllocateVirtualMemory Dec. 14, 2023, 7:56 a.m.	process_identifier: 2436 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0	1	0
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELûeeàdfØ@@8ÿt~À¨ä.text5cd `.rdataÔh@@.dataS Tú@À.reloct~N@B base_address: 0x00400000 process_identifier: 2436 process_handle: 0x000002b0	1	1
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: base_address: 0x00401000 process_identifier: 2436 process_handle: 0x000002b0	1	1
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: base_address: 0x00468000 process_identifier: 2436 process_handle: 0x000002b0	1	1
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: base_address: 0x00472000 process_identifier: 2436 process_handle: 0x000002b0	1	1
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: base_address: 0x00478000 process_identifier: 2436 process_handle: 0x000002b0	1	1
NtGetContextThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x000002ac	1	0
WriteProcessMemory Dec. 14, 2023, 7:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2436 process_handle: 0x000002b0	1	1
NtSetContextThread Dec. 14, 2023, 7:56 a.m.	registers.eip: 2005598660 registers.esp: 1703444 registers.edi: 0 registers.eax: 4511900 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2436	1	0
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x000000a8 suspend_count: 1 process_identifier: 2436	1	0
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2636 thread_handle: 0x00000758 process_identifier: 2632 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\innkmiukfdgrakq.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\innkmiukfdgrakq.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000768	1	1
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2680 thread_handle: 0x00000768 process_identifier: 2676 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\cwdeprxrvlonbdrjec.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\cwdeprxrvlonbdrjec.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000076c	1	1
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2832 thread_handle: 0x0000076c process_identifier: 2828 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wgkpgkairhk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\wgkpgkairhk.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000770	1	1
NtGetContextThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0xfffffffe	1	0
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2736 thread_handle: 0x00000280 process_identifier: 2732 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\s214.0.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000274	1	1
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2796 thread_handle: 0x00000084 process_identifier: 2792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2908 thread_handle: 0x00000088 process_identifier: 2904 current_directory: filepath: C:\ProgramData\pinterests\XRJNZC.exe track: 1 command_line: "C:\ProgramData\pinterests\XRJNZC.exe" filepath_r: C:\ProgramData\pinterests\XRJNZC.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2904	1	0
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 1540 thread_handle: 0x00000304 process_identifier: 1836 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000030c	1	1
NtGetContextThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0xfffffffe	1	0
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 3056 thread_handle: 0x00000244 process_identifier: 3052 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000250	1	1
NtResumeThread Dec. 14, 2023, 7:56 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1836	1	0
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 2496 thread_handle: 0x00000264 process_identifier: 2488 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000026c	1	1
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 1896 thread_handle: 0x000003b0 process_identifier: 1284 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW Dec. 14, 2023, 7:57 a.m.	thread_identifier: 2936 thread_handle: 0x0000037c process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b0	1	1
CreateProcessInternalW Dec. 14, 2023, 7:56 a.m.	thread_identifier: 1928 thread_handle: 0x000000dc process_identifier: 2160 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d8	1	1
NtResumeThread Dec. 14, 2023, 7:49 a.m.	thread_handle: 0x00000000000000fc suspend_count: 1 process_identifier: 2160	1	0
CreateProcessInternalW Dec. 14, 2023, 7:49 a.m.	thread_identifier: 2608 thread_handle: 0x0000000000000134 process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 1 command_line: netsh wlan show profiles filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000000000000138	1	1
CreateProcessInternalW Dec. 14, 2023, 7:49 a.m.	thread_identifier: 0 thread_handle: 0x0000000000000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: track: 0 command_line: tar.exe -cf "C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.tar" "C:\Users\test22\AppData\Local\Temp\_Files_\." filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000000000000000		0
NtResumeThread Dec. 14, 2023, 7:49 a.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2708	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealerc.i!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.70702010
CAT-QuickHeal	Trojanpws.Msil
Malwarebytes	Generic.Malware/Suspicious
VIPRE	Trojan.GenericKD.70702010
Sangfor	Infostealer.Msil.Stealerc.Vvu2
Alibaba	TrojanPSW:MSIL/Stealerc.6eefc10b
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AKDO
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealerc.gen
BitDefender	Trojan.GenericKD.70702010
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13f953d2
Emsisoft	Trojan.GenericKD.70702010 (B)
F-Secure	Trojan.TR/AD.Nekark.ckzvh
TrendMicro	TrojanSpy.Win32.LUMMASTEALER.YXDLGZ
FireEye	Trojan.GenericKD.70702010
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Varist	W32/MSIL_Kryptik.JCM.gen!Eldorado
Avira	TR/AD.Nekark.ckzvh
MAX	malware (ai score=86)
Antiy-AVL	Trojan/MSIL.Kryptik
Kingsoft	MSIL.Trojan-PSW.Stealerc.gen
Microsoft	Trojan:Win32/Znyonm
Gridinsoft	Ransom.Win32.Wacatac.sa
Arcabit	Trojan.Generic.D436D3BA
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealerc.gen
GData	Trojan.GenericKD.70702010
Google	Detected
AhnLab-V3	Downloader/Win.Powershell.C5560071
ALYac	Trojan.GenericKD.70702010
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.LUMMASTEALER.YXDLGZ
Rising	Malware.Obfus/MSIL@AI.91 (RDM.MSIL2:XA1js/4tyT0f/+b3BOSagw)
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.204074003.susgen
Fortinet	MSIL/Kryptik.AKDO!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All