popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

updEdge.exe

Generic Malware UPX Anti_VM AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 13, 2023, 7:15 a.m. July 13, 2023, 7:17 a.m.
Size 2.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3c55617e6b69330386a0350e9f6aa0b4
SHA256 1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
CRC32 3736122A
ssdeep 49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir
Yara
  • UPX_Zero - UPX packed file
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • themida_packer - themida packer
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
rcam.tuktuk.ug
A 85.209.3.4
85.209.3.4
IP Address Status Action
164.124.101.2 Active Moloch
85.209.3.4 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 85.209.3.4:11290 -> 192.168.56.101:49165 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49165 -> 85.209.3.4:11290 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005255e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005255e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005254e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005254e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005254e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005254e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005254e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525760
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00526020
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00526020
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00525ee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section
section .themida
section .boot
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
updedge+0x2d87a9 @ 0xec87a9
updedge+0x2bc581 @ 0xeac581

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 ef 71 39 8b 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2029336
registers.edi: 13271040
registers.eax: 2029336
registers.ebp: 2029416
registers.edx: 2130566132
registers.ebx: 0
registers.esi: 1995994155
registers.ecx: 2054750208
1 0 0

__exception__

 stacktrace: 

        
      
      
      

    
  
    
      
        exception.instruction_r:
        ed e9 f4 00 fe ff 62 01 2d 1a 00 00 37 00 90 14
        

      
        exception.symbol:
        updedge+0x340c0a
        

      
        exception.instruction:
        in eax, dx
        

      
        exception.module:
        updEdge.exe
        

      
        exception.exception_code:
        0xc0000096
        

      
        exception.offset:
        3410954
        

      
        exception.address:
        0xf30c0a
        

      
    
  
    
      
        registers.esp:
        2029456
        

      
        registers.edi:
        14276937
        

      
        registers.eax:
        1750617430
        

      
        registers.ebp:
        13271040
        

      
        registers.edx:
        22614
        

      
        registers.ebx:
        2147483650
        

      
        registers.esi:
        13412047
        

      
        registers.ecx:
        20
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          

        
      
      
      

    
  
    
      
        exception.instruction_r:
        ed e9 23 1a 08 00 c3 e9 43 f5 06 00 00 00 3a 00
        

      
        exception.symbol:
        updedge+0x2a5187
        

      
        exception.instruction:
        in eax, dx
        

      
        exception.module:
        updEdge.exe
        

      
        exception.exception_code:
        0xc0000096
        

      
        exception.offset:
        2773383
        

      
        exception.address:
        0xe95187
        

      
    
  
    
      
        registers.esp:
        2029456
        

      
        registers.edi:
        14276937
        

      
        registers.eax:
        1447909480
        

      
        registers.ebp:
        13271040
        

      
        registers.edx:
        22104
        

      
        registers.ebx:
        2256917605
        

      
        registers.esi:
        13412047
        

      
        registers.ecx:
        10
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x839841
0x839643
0x837ad8
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
        

      
        exception.instruction:
        mov eax, dword ptr [ecx]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x839978
        

      
    
  
    
      
        registers.esp:
        3074772
        

      
        registers.edi:
        3074824
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3074836
        

      
        registers.edx:
        5306776
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38924028
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f26c1
0x43f2522
0x43f23f5
0x43f0cab
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073012
        

      
        registers.edi:
        3073312
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073324
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        39313184
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f2c8c
0x43f2522
0x43f23f5
0x43f0cab
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073300
        

      
        registers.edi:
        3073644
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073308
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        39313184
        

      
        registers.ecx:
        40562948
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f26c1
0x43f2522
0x43f240d
0x43f0cab
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073012
        

      
        registers.edi:
        3073312
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073324
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        39313184
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f2c8c
0x43f2522
0x43f240d
0x43f0cab
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073300
        

      
        registers.edi:
        3073644
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073308
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        39313184
        

      
        registers.ecx:
        41993384
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f26c1
0x43f2522
0x43f240d
0x43f0cab
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073012
        

      
        registers.edi:
        3073312
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073324
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        39313184
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f2c8c
0x43f2522
0x43f240d
0x43f0cab
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073300
        

      
        registers.edi:
        3073644
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073308
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        39313184
        

      
        registers.ecx:
        39554328
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f71a8
0x43f6ff9
0x43f23f5
0x43f0f94
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3072988
        

      
        registers.edi:
        3073288
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073300
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f773e
0x43f6ff9
0x43f23f5
0x43f0f94
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073276
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073284
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        40989200
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f71a8
0x43f6ff9
0x43f240d
0x43f0f94
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3072988
        

      
        registers.edi:
        3073288
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073300
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f773e
0x43f6ff9
0x43f240d
0x43f0f94
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073276
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073284
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        42545008
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f71a8
0x43f6ff9
0x43f240d
0x43f0f94
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3072988
        

      
        registers.edi:
        3073288
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073300
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f773e
0x43f6ff9
0x43f240d
0x43f0f94
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073276
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073284
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        43894696
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f7ae2
0x43f78f1
0x43f23f5
0x43f10ac
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073040
        

      
        registers.edi:
        3073340
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073352
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f7f4a
0x43f78f1
0x43f23f5
0x43f10ac
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073328
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073336
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38512844
        

      
        registers.ecx:
        39136888
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f7ae2
0x43f78f1
0x43f240d
0x43f10ac
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073040
        

      
        registers.edi:
        3073340
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073352
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f7f4a
0x43f78f1
0x43f240d
0x43f10ac
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073328
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073336
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        40627684
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f7ae2
0x43f78f1
0x43f240d
0x43f10ac
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073040
        

      
        registers.edi:
        3073340
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073352
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f7f4a
0x43f78f1
0x43f240d
0x43f10ac
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073328
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073336
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        42118192
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f83bc
0x43f81d9
0x43f23f5
0x43f11b2
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073072
        

      
        registers.edi:
        3073372
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073384
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f877c
0x43f81d9
0x43f23f5
0x43f11b2
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073360
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073368
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        43608836
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f83bc
0x43f81d9
0x43f240d
0x43f11b2
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073072
        

      
        registers.edi:
        3073372
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073384
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f877c
0x43f81d9
0x43f240d
0x43f11b2
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073360
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073368
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        38939820
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f83bc
0x43f81d9
0x43f240d
0x43f11b2
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        39 09 ff 15 e0 83 2c 02 89 85 04 ff ff ff 8b 85
        

      
        exception.instruction:
        cmp dword ptr [ecx], ecx
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f3302
        

      
    
  
    
      
        registers.esp:
        3073072
        

      
        registers.edi:
        3073372
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073384
        

      
        registers.edx:
        36471236
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f877c
0x43f81d9
0x43f240d
0x43f11b2
0x83f419
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3073360
        

      
        registers.edi:
        3073668
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3073368
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        38511668
        

      
        registers.ecx:
        40354868
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x43f6c30
0x43f9b03
0x43f90ae
0x83f471
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3
        

      
        exception.instruction:
        mov eax, dword ptr [eax + 4]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x43f6c73
        

      
    
  
    
      
        registers.esp:
        3074180
        

      
        registers.edi:
        3074444
        

      
        registers.eax:
        0
        

      
        registers.ebp:
        3074188
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        3076276
        

      
        registers.esi:
        40896552
        

      
        registers.ecx:
        40903528
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x722b1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72182ba1
mscorlib+0x36dd51 @ 0x714add51
mscorlib+0x32fea6 @ 0x7146fea6
mscorlib+0x30ab40 @ 0x7144ab40
0x43f3f4d
0xad933e1
0xad92a74
0xad91d01
0x83d9ff
0x837c1d
0x8372d3
0x833c6b
0x8335d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

        
      
      
      

    
  
    
      
        exception.instruction_r:
        c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
        

      
        exception.symbol:
        RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
        

      
        exception.instruction:
        leave
        

      
        exception.module:
        KERNELBASE.dll
        

      
        exception.exception_code:
        0xe0434f4e
        

      
        exception.offset:
        46887
        

      
        exception.address:
        0x7597b727
        

      
    
  
    
      
        registers.esp:
        3073792
        

      
        registers.edi:
        0
        

      
        registers.eax:
        3073792
        

      
        registers.ebp:
        3073872
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        5442464
        

      
        registers.esi:
        5306776
        

      
        registers.ecx:
        1162885695
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597d000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c5000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c4000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597d000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597d000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755dc000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597b000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597b000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7585f000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75868000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c5000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c5000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597b000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755dc000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c5000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597d000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c4000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c3000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c3000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7598b000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c5000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7598b000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75981000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7597d000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c4000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75981000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755dc000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75981000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c3000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75981000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75981000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755e3000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755e8000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x7563e000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755e5000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c4000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75981000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c4000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c4000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x75981000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c4000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x755c1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x00054800', u'virtual_address': u'0x00002000', u'entropy': 7.938398947401008, u'name': u'        ', u'virtual_size': u'0x00066000'}
                                        
                                    
                                        
                                            entropy
                                            7.9383989474
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x0001b400', u'virtual_address': u'0x00068000', u'entropy': 7.950606174461829, u'name': u'        ', u'virtual_size': u'0x00025d9b'}
                                        
                                    
                                        
                                            entropy
                                            7.95060617446
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x001c1e00', u'virtual_address': u'0x003a6000', u'entropy': 7.946681224381276, u'name': u'.boot', u'virtual_size': u'0x001c1e00'}
                                        
                                    
                                        
                                            entropy
                                            7.94668122438
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            entropy
                                            0.936431846603
                                        
                                    
                                        
                                            description
                                            Overall entropy of this PE file is high
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
LookupPrivilegeValueW

  
  
    
      
    
  


  
    
      system_name:
      
        
          
        
      
      
      

    
  
    
      privilege_name:
      
        
          SeDebugPrivilege
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
LookupPrivilegeValueW

  
  
    
      
    
  


  
    
      system_name:
      
        
          
        
      
      
      

    
  
    
      privilege_name:
      
        
          SeDebugPrivilege
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    process
                                    system
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__GlobalFlags
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__QueryInfo
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Thread
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Active
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            ThreadControl__Context
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            SEH__vectored
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Checks if being debugged
                                        
                                    
                                        
                                            rule
                                            anti_dbg
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Bypass DEP
                                        
                                    
                                        
                                            rule
                                            disable_dep
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          AddressBook
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Connection Manager
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          DirectDrawEx
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          EditPlus
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          ENTERPRISE
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Fontcore
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Google Chrome
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Haansoft HWord 80 Korean
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          IE40
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          IE4Data
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          IE5BAKEX
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          IEData
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          MobileOptionPack
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SchedulingAgent
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          WIC
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {1D91F7DA-F517-4727-9E62-B7EA978BE980}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0015-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0016-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0018-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0019-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-001A-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-001B-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-001F-0409-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-001F-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0028-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-002C-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0030-0000-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0044-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-006E-0409-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-006E-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-00A1-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-00BA-0409-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {90120000-0114-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {939659F3-71D2-461F-B24D-91D05A4389B4}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          {d992c12e-cab2-426f-bde3-fb8c53950b0d}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x000002dc
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_Processor
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    buffer
                                    Buffer with sha1: 8a7a16e1bb29ef6a29ec7e71bdc776d6bdfda170
                                    
                                


                            

                        

                            

                                

                                    buffer
                                    Buffer with sha1: 89a2630fc0c5a873e193832c3515adcf0311e946
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      region_size:
      
        
          196608
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          OLLYDBG
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          GBDYLLO
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          pediy06
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          RegmonClass
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          RegmonClass
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          Registry Monitor - Sysinternals: www.sysinternals.com
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          18467-41
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          FilemonClass
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          FilemonClass
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          #0
        
      
      
      

    
  
    
      window_name:
      
        
          File Monitor - Sysinternals: www.sysinternals.com
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          PROCMON_WINDOW_CLASS
        
      
      
      

    
  
    
      window_name:
      
        
          
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
FindWindowA

  
  
    
      
    
  


  
    
      class_name:
      
        
          #0
        
      
      
      

    
  
    
      window_name:
      
        
          Process Monitor - Sysinternals: www.sysinternals.com
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    registry
                                    HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
                                    
                                


                            

                        

                            

                                

                                    registry
                                    HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    wmi
                                    SELECT * FROM AntivirusProduct
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_VideoController
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_OperatingSystem
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_Process Where SessionId='1'
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM AntiSpyWareProduct
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM FirewallProduct
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_DiskDrive
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_Processor
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PELKÄÿšà0ž>1 @@ @…ð0K@N›à  H.textD  `.rsrcN›@œ@@.relocà°@B
        
      
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          0@1
        
      
      
      

    
  
    
      base_address:
      
        
          0x0042e000
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          @
        
      
      
      

    
  
    
      base_address:
      
        
          0xfffde008
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PELKÄÿšà0ž>1 @@ @…ð0K@N›à  H.textD  `.rsrcN›@œ@@.relocà°@B
        
      
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          EditPlus
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Enterprise 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Chrome
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          한컴오피스 한글 2010
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          HttpWatch Professional 9.3.39
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          한컴오피스 한글 2010
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Google Update Helper
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Access MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Excel MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office PowerPoint MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Publisher MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Outlook MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Word MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proof (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proof (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office IME (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proofing (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Enterprise 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office InfoPath MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Shared MUI (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Shared MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office OneNote MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Groove MUI (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Groove Setup Metadata MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Adobe Flash Player 13 ActiveX
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Adobe Flash Player 13 NPAPI
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000027c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Process injection
                                    Process 2556 called NtSetContextThread to modify thread in remote process 2708
                                    
                                


                            

                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtSetContextThread

  
  
    
      
    
  


  
    
      
        registers.eip:
        0
        

      
        registers.esp:
        0
        

      
        registers.edi:
        0
        

      
        registers.eax:
        4337982
        

      
        registers.ebp:
        0
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        -139264
        

      
        registers.esi:
        0
        

      
        registers.ecx:
        0
        

      
    
  
    
      thread_handle:
      
        
          0x0000023c
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Process injection
                                    Process 2556 resumed a thread in remote process 2708
                                    
                                


                            

                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000023c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtQuerySystemInformation

  
  
    
      
    
  


  
    
      information_class:
      
        
          76
        
      
      
        (SystemFirmwareTableInformation)
      
      

    
  


    

3221225507

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          

        
      
      
      

    
  
    
      
        exception.instruction_r:
        ed e9 23 1a 08 00 c3 e9 43 f5 06 00 00 00 3a 00
        

      
        exception.symbol:
        updedge+0x2a5187
        

      
        exception.instruction:
        in eax, dx
        

      
        exception.module:
        updEdge.exe
        

      
        exception.exception_code:
        0xc0000096
        

      
        exception.offset:
        2773383
        

      
        exception.address:
        0xe95187
        

      
    
  
    
      
        registers.esp:
        2029456
        

      
        registers.edi:
        14276937
        

      
        registers.eax:
        1447909480
        

      
        registers.ebp:
        13271040
        

      
        registers.edx:
        22104
        

      
        registers.ebx:
        2256917605
        

      
        registers.esi:
        13412047
        

      
        registers.ecx:
        10
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Bkav
                                    W32.AIDetectMalware
                                    
                                


                            

                        

                            

                                

                                    Lionic
                                    Trojan.Win32.Convagent.trYj
                                    
                                


                            

                        

                            

                                

                                    tehtris
                                    Generic.Malware
                                    
                                


                            

                        

                            

                                

                                    Cynet
                                    Malicious (score: 100)
                                    
                                


                            

                        

                            

                                

                                    Sangfor
                                    Trojan.Win32.Save.a
                                    
                                


                            

                        

                            

                                

                                    Cybereason
                                    malicious.1433cf
                                    
                                


                            

                        

                            

                                

                                    BitDefenderTheta
                                    Gen:NN.ZexaE.36302.wE1@aGQCjxki
                                    
                                


                            

                        

                            

                                

                                    Symantec
                                    ML.Attribute.HighConfidence
                                    
                                


                            

                        

                            

                                

                                    Elastic
                                    malicious (high confidence)
                                    
                                


                            

                        

                            

                                

                                    APEX
                                    Malicious
                                    
                                


                            

                        

                            

                                

                                    Kaspersky
                                    UDS:Trojan-Spy.Win32.Stealer
                                    
                                


                            

                        

                            

                                

                                    Avast
                                    PWSX-gen [Trj]
                                    
                                


                            

                        

                            

                                

                                    McAfee-GW-Edition
                                    Artemis!Trojan
                                    
                                


                            

                        

                            

                                

                                    Trapmine
                                    malicious.moderate.ml.score
                                    
                                


                            

                        

                            

                                

                                    FireEye
                                    Generic.mg.3c55617e6b693303
                                    
                                


                            

                        

                            

                                

                                    Sophos
                                    ML/PE-A
                                    
                                


                            

                        

                            

                                

                                    SentinelOne
                                    Static AI - Suspicious PE
                                    
                                


                            

                        

                            

                                

                                    ZoneAlarm
                                    UDS:Trojan-Spy.Win32.Stealer
                                    
                                


                            

                        

                            

                                

                                    Microsoft
                                    Trojan:MSIL/RedLine.MD!MTB
                                    
                                


                            

                        

                            

                                

                                    AhnLab-V3
                                    Trojan/Win.Generic.R471305
                                    
                                


                            

                        

                            

                                

                                    Acronis
                                    suspicious
                                    
                                


                            

                        

                            

                                

                                    McAfee
                                    Artemis!3C55617E6B69
                                    
                                


                            

                        

                            

                                

                                    VBA32
                                    BScope.TrojanPSW.Agent
                                    
                                


                            

                        

                            

                                

                                    Panda
                                    Trj/Genetic.gen
                                    
                                


                            

                        

                            

                                

                                    Rising
                                    Trojan.Generic@AI.100 (RDML:dYp6HmGLgvDknafx+J0qwQ)
                                    
                                


                            

                        

                            

                                

                                    MaxSecure
                                    Trojan.Malware.300983.susgen
                                    
                                


                            

                        

                            

                                

                                    AVG
                                    PWSX-gen [Trj]
                                    
                                


                            

                        

                            

                                

                                    DeepInstinct
                                    MALICIOUS
                                    
                                


                            

                        

                            

                                

                                    CrowdStrike
                                    win/malicious_confidence_100% (W)
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0xfffffffe
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000000f8
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000016c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000001a8
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2556
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2712
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x0000023c
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      current_directory:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          134217732
        
      
      
        (CREATE_NO_WINDOW|CREATE_SUSPENDED)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000023c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      region_size:
      
        
          196608
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PELKÄÿšà0ž>1 @@ @…ð0K@N›à  H.textD  `.rsrcN›@œ@@.relocà°@B
        
      
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x00402000
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x00424000
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          0@1
        
      
      
      

    
  
    
      base_address:
      
        
          0x0042e000
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          @
        
      
      
      

    
  
    
      base_address:
      
        
          0xfffde008
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000240
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtSetContextThread

  
  
    
      
    
  


  
    
      
        registers.eip:
        0
        

      
        registers.esp:
        0
        

      
        registers.edi:
        0
        

      
        registers.eax:
        4337982
        

      
        registers.ebp:
        0
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        -139264
        

      
        registers.esi:
        0
        

      
        registers.ecx:
        0
        

      
    
  
    
      thread_handle:
      
        
          0x0000023c
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000023c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000144
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000001bc
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000204
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000230
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtSetContextThread

  
  
    
      
    
  


  
    
      
        registers.eip:
        1914186628
        

      
        registers.esp:
        3074000
        

      
        registers.edi:
        70791168
        

      
        registers.eax:
        37290496
        

      
        registers.ebp:
        3074040
        

      
        registers.edx:
        254
        

      
        registers.ebx:
        0
        

      
        registers.esi:
        1102
        

      
        registers.ecx:
        38512980
        

      
    
  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000014c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2708
        
      
      
      

    
  


    
        1
    

0

    
        0